MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
SHA3-384 hash: 26b4dcebd5b3c1c9477d8335f85cd66851956ef7a0bdc3270f3ffb5f16dc6bf2249dd88c20c2ade87f62a73f2efa5fb2
SHA1 hash: d4455ac7ec0c49769b645e7471989bd7ee29f6fc
MD5 hash: c2ee32f9d7de6b05472ceda926fd0a6f
humanhash: twenty-comet-autumn-johnny
File name:SK TAX INV.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:493'568 bytes
First seen:2021-11-25 10:54:39 UTC
Last seen:2021-11-25 16:58:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:D1UFM0gixBFm0Ud7zqdz66fMPZl2t4v0f1zo0naysDDayUyhD2:D18M0gi1Kd73LD2tp3HwDRUyhD
Threatray 3'332 similar samples on MalwareBazaar
TLSH T16EA4122927B84614CFED077764A09355633AA65AFD0ECB6D37C1B06C19E63128722BCF
Reporter cocaman
Tags:exe INVOICE NanoCore

Intelligence

File Origin
# of uploads :
6
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SK TAX INV.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 11:00:16 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/112ad328-2633-4895-897e-4f82dfdfb8ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.ArtemisC2EE32F9D7DE.25158.322.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619f6b9002c80febc2a913fd/reports/a39486f1-0020-4c93-a4ae-eefe31a3333f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccf8a6e5-646b-4baa-93e2-4cdfadb948c5
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896032
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 09:33:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qs4754psydot5d4nze6pmv2ngdrmnzn4qgkzt7vgbryyo3pqe6gq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
305bf6557bcc3df14cf33993d14e03fa84a6bd7611a990402fae4522ff098454
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d01d1b24f4f7487669486becc7ff8b43a126f56ffb3d8fcce8c66b200412475
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
NanoCore
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
a276b0d2aaf8a132ffbe9ae16763975bcf38fc1e5a6419890712fc3de02b793f
NanoCore
+ 3'322 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211125-mz62rsacb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
dera31.ddns.net:1187
195.133.18.211:1187
Unpacked files
SH256 hash:
901df5083eeafcbf2099f0a2cbeccb581861d9eea33af3a8e82e72a06b8d9302
MD5 hash:
4d1b6b178fc0b27a9da188e8d33510d2
SHA1 hash:
e9aac48006e9c658cfe1a4f6dcbc8e0d92caaadc
Link:
https://www.unpac.me/results/45c60590-f270-4439-bbfd-7e567e7343d3/
SH256 hash:
bcbbb12a5dee34dc84b2e56f6e7e8bd7f9c0c1680485dd86e3a6d65b21ffd733
MD5 hash:
568d53b6ebd3c16aae493b75a6630ac8
SHA1 hash:
b00ec034b78e4543ff2df1d53e47b02d6b3adb11
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/45c60590-f270-4439-bbfd-7e567e7343d3/
Parent samples :
597b37383f0db8f45ac44bf4b34b8ec275e5f47dab27a03ac79d33790298a42d
dc67d526778506c9a50dd58b681dcd1dc12b82ddf6d7fc2e1097ee3e14ec62e6
56cdb2b48b6c92ed9b25a441bb8bd39d9a952bd3632e21675f2cdc42fc38e0ba
0b4a6e0a3daed7e93bc660cb8942f61674053668791b567581722a28f5413d4c
5e56b94e3be34affd39e1807de617daaaff2bf6844e49275e98d9b3b6b5216d0
a99697cc6e1dd9fa9fdcf15578d870d74ac342941a7fd0fd8d94ada4c3e43375
d0db3a18c0593a628f5c7e2a92b48369c10823af44d4f1e97f0bfbfd84043c59
40bbc3b0772a0365c7c91858d53373935cd72bbe27a431c976cafa12a2305d2e
70cd26dee77c61ddbf3458217f5316bf8e80178a2836095ca3cfe8e34574a7a4
5529226f3c19a35974bb052c674080826df121b5cc3fdb8ccf88c8d7d84d2740
37649a092c0ad878f4fb8d8578c2e7ca110360ba1575e0697baf1efa8e5cb409
e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
b186f6738901b0cf5824a3e3789af05342f414f30ad10d615a2b1a4203280627
84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
c79d764afe76a2ef453dc220a59820e20eaec56d44ed6ce56f04a76936309ca3
ecda999a236c97792f58358a9b4d89efef315912c58c3471c86a53730d8bca15
8b95710749714e99690b1b32ace69521208b3bb6420765d56647a5fc073a3813
69c47c41277449a2f7b646d5de7ae5d51bf944844b48b9b0df998ff9b6d3a3c9
SH256 hash:
f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c
MD5 hash:
aa334e922c53c5cba0b43c342ac13b14
SHA1 hash:
68109327b5e98174293bb348dfea6a088cbd5d2f
Link:
https://www.unpac.me/results/45c60590-f270-4439-bbfd-7e567e7343d3/
SH256 hash:
84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
MD5 hash:
c2ee32f9d7de6b05472ceda926fd0a6f
SHA1 hash:
d4455ac7ec0c49769b645e7471989bd7ee29f6fc
Link:
https://www.unpac.me/results/45c60590-f270-4439-bbfd-7e567e7343d3/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/84b9fef1f2c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 903656946f337fff8ad4dbdca1feddf02f41ae1b5376a80e84c46d3bd3acf2ab

NanoCore

Executable exe 84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 903656946f337fff8ad4dbdca1feddf02f41ae1b5376a80e84c46d3bd3acf2ab
Cape
Cape
https://www.capesandbox.com/analysis/209285/
  
Dropped by
SHA256 62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6

Comments