MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6
SHA3-384 hash: 1a3560acd10d2eb98ea0541e1a17b03a946dd08d026b332ab7afd2839dbc5fb2610ef913687f14d09503ee5cb19c380e
SHA1 hash: 0e419f2b47fd6141e892872d6717cb7b0bce440b
MD5 hash: 4a590c7886586918499923fcf36a16eb
humanhash: single-yellow-whiskey-stream
File name:4a590c7886586918499923fcf36a16eb.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:695'776 bytes
First seen:2021-12-27 17:55:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:GAep/nMZaMZkzRaLzHkbKA5vYDq6UL+3E9K+pfO8h5BWu35WDdR7:GAep/nMZ2zQLDkeKZ6t39745BWu3gF
Threatray 2'790 similar samples on MalwareBazaar
TLSH T1CAE4BE8399647FB2F990D03F2A2ECF9252E59DFD3D5188C761E2BA6C20F694E15D0072
File icon (PE):PE icon
dhash icon 36c138f48aa4d4c8 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
89.238.150.43:5512

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.238.150.43:5512 https://threatfox.abuse.ch/ioc/279263/

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a590c7886586918499923fcf36a16eb.exe
Verdict:
Malicious activity
Analysis date:
2021-12-27 17:59:27 UTC
Tags:
installer trojan rat asyncrat
Link:
https://app.any.run/tasks/85caa932-7fa5-4ce5-b143-14897eda8aa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216588/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
asyncrat overlay packed
Link:
https://www.filescan.io/uploads/61c9fe378991ba72b39b4f0b/reports/9d8cbd52-93ad-4dde-bbe4-8283acedfed0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3ebd35c-598e-4b2a-93d9-d7506e220d28
Result
Threat name:
AgentTesla AsyncRAT GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913248
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected GhostRat
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545721 Sample: bpj0Ds25F3.exe Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 12 other signatures 2->85 13 bpj0Ds25F3.exe 17 2->13         started        process3 file4 75 C:\Users\user\AppData\Local\...\kgrodpbu.dll, PE32 13->75 dropped 107 Detected unpacking (creates a PE file in dynamic memory) 13->107 109 Injects a PE file into a foreign processes 13->109 17 bpj0Ds25F3.exe 7 13->17         started        signatures5 process6 file7 63 C:\Users\user\AppData\Local\...\mozille.exe, PE32 17->63 dropped 65 C:\Users\user\AppData\...\bpj0Ds25F3.exe.log, ASCII 17->65 dropped 20 cmd.exe 1 17->20         started        22 cmd.exe 1 17->22         started        process8 signatures9 25 mozille.exe 16 20->25         started        29 conhost.exe 20->29         started        31 timeout.exe 1 20->31         started        87 Suspicious powershell command line found 22->87 89 Bypasses PowerShell execution policy 22->89 91 Uses schtasks.exe or at.exe to add and modify task schedules 22->91 33 conhost.exe 22->33         started        35 schtasks.exe 1 22->35         started        process10 file11 73 C:\Users\user\AppData\Local\...\kgrodpbu.dll, PE32 25->73 dropped 101 Multi AV Scanner detection for dropped file 25->101 103 Injects a PE file into a foreign processes 25->103 37 mozille.exe 2 5 25->37         started        signatures12 process13 dnsIp14 77 89.238.150.43, 49775, 49786, 49789 M247GB United Kingdom 37->77 67 C:\Users\user\AppData\Local\Temp\zobskt.exe, PE32 37->67 dropped 69 C:\Users\user\AppData\Local\Temp\mxtgxo.exe, PE32 37->69 dropped 93 Tries to harvest and steal browser information (history, passwords, etc) 37->93 42 cmd.exe 37->42         started        45 cmd.exe 1 37->45         started        file15 signatures16 process17 signatures18 105 Suspicious powershell command line found 42->105 47 powershell.exe 42->47         started        49 conhost.exe 42->49         started        51 powershell.exe 14 45->51         started        53 conhost.exe 45->53         started        process19 process20 55 mxtgxo.exe 47->55         started        59 zobskt.exe 51->59         started        file21 71 C:\Users\user\AppData\Roaming\lkNPyh.exe, PE32 55->71 dropped 95 Antivirus detection for dropped file 55->95 97 Multi AV Scanner detection for dropped file 55->97 99 Machine Learning detection for dropped file 55->99 61 zobskt.exe 59->61         started        signatures22 process23
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 08:08:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 43 (53.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnrzjlvgnfdg3tgj7w3bzgndsuxjg27dbkiypwubtd4is5hfzlta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
4b0daee330f56dd0578f2a7fdd845e6d4cd51153af10c1495b371f6b1647410a
NanoCore
5f2ff12584a99c9720d27bf219ec4691f80ea258d71e391ca28f4590f360a775
NanoCore
7ba9f473a65c0fd3cebc9527d9d4db323829e4d304585eb21c917b77e2dc17ec
NanoCore
7da044c42ca2197b24b974350ae45f50ba9573714685c175026ff4a29a57973b
NanoCore
9d1c5ce88fc4c21e2e1639db562866714dad3540c566dcf74a4aef6853053903
NanoCore
d7f9d9ab8843e314c4d4e370fc95dca66a1d558a71edb8d996ac415e4ff24efd
NanoCore
ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135
NanoCore
+ 2'780 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat botnet:default keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/211227-wh2v6adac9/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Async RAT payload
AgentTesla
AsyncRat
Malware Config
C2 Extraction:
89.238.150.43:5512
https://api.telegram.org/bot1900836728:AAEDyoYbBJwtt1EA4hdgRlGTN1cq760KPNU/sendDocument
Unpacked files
SH256 hash:
6c19b543210b11f5c4fe905e46adb400fcf460e2132c07743f89f24d4e5764b4
MD5 hash:
205bd946840fecfc2be7ece5c3795faf
SHA1 hash:
dbe9ca1b5341c552634d29d5710975bd1eac37a4
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b8bcd52-c033-4cb5-9407-29e1b1065948/
SH256 hash:
558898772f19dae7cef455f8ee36b40fa34e1af5b4de54b869e43a499f8d7c2c
MD5 hash:
237dd934ec49dc6371260dfd074341fd
SHA1 hash:
917d992fb612e3ec3b59cbcf4d0bf483f97e0d83
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b8bcd52-c033-4cb5-9407-29e1b1065948/
Parent samples :
0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd
7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6
b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
SH256 hash:
97354a9302739ba0c69bc8f57bc38526ce6011144380329ad4907db698ed7f1f
MD5 hash:
dc935fa828d4366efdadec730362b1f1
SHA1 hash:
4184caddc9293357d399859c3683ecbd33c23a94
Link:
https://www.unpac.me/results/8b8bcd52-c033-4cb5-9407-29e1b1065948/
SH256 hash:
7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6
MD5 hash:
4a590c7886586918499923fcf36a16eb
SHA1 hash:
0e419f2b47fd6141e892872d6717cb7b0bce440b
Link:
https://www.unpac.me/results/8b8bcd52-c033-4cb5-9407-29e1b1065948/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7b6394aea669/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216588/

Comments