MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
SHA3-384 hash: 93712431065e2e33f8e02d1e07cd928bd7c75266aebec592382c2e60924d661c998f44cd5ba82e30da9ad3ebd6838514
SHA1 hash: 8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
MD5 hash: e10c403a6eec866d5772812c5edcc0a7
humanhash: beryllium-ten-beryllium-vermont
File name:PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'089'024 bytes
First seen:2021-05-03 05:36:51 UTC
Last seen:2021-05-03 06:03:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:/3MWjQo86HiBADJuSxRvi1W8rLZ2LCs3UCrhDxYIuhY8H3MOPiBV+yOlr5BibS:/lB2VILZZtDruhKO6BV+yOR
Threatray 198 similar samples on MalwareBazaar
TLSH CD35BE2FB64C6B5CD21A0E72B97A00B082E5DF176631F6DE79D4DCEE092120E4B4B1D6
Reporter abuse_ch
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148149/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707646
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402742 Sample: PO#KV18RE001_A5491NGOCQUANG... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 8 other signatures 2->74 9 PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe 15 7 2->9         started        13 explorers.exe 14 3 2->13         started        15 InstallUtil.exe 2->15         started        17 2 other processes 2->17 process3 file4 58 C:\Users\user\AppData\Roaming\explorers.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->60 dropped 62 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 9->62 dropped 64 PO#KV18RE001_A5491...IONSERVICE5.exe.log, ASCII 9->64 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->84 19 explorers.exe 4 9->19         started        23 cmd.exe 1 9->23         started        86 Multi AV Scanner detection for dropped file 13->86 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        signatures5 process6 file7 50 C:\Users\user\AppData\Roaming\AMRAW.exe, PE32 19->50 dropped 76 Writes to foreign memory regions 19->76 78 Allocates memory in foreign processes 19->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 82 Injects a PE file into a foreign processes 19->82 31 AMRAW.exe 19->31         started        34 InstallUtil.exe 19->34         started        38 conhost.exe 23->38         started        40 reg.exe 1 1 23->40         started        signatures8 process9 dnsIp10 88 Antivirus detection for dropped file 31->88 90 Multi AV Scanner detection for dropped file 31->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->92 98 2 other signatures 31->98 66 79.134.225.91, 4488, 49731, 49732 FINK-TELECOM-SERVICESCH Switzerland 34->66 52 C:\Users\user\AppData\Roaming\...\run.dat, data 34->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE599.tmp, XML 34->54 dropped 56 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->56 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 34->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->96 42 schtasks.exe 34->42         started        44 schtasks.exe 34->44         started        file11 signatures12 process13 process14 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 01:35:17 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5a2wrspfwqoyhx7woiviykyoqdtztjwr53smc4glr72plgreoya._file
Verdict:
unknown
Similar samples:
0ecfbf08398e1d0470c2f4d40a490808bd1b177cb60d674c5459d85f242952ab
NanoCore
5024f734215b78dad35ba4390d346c029d19eb14d90983cf48c2b16726df14d9
NanoCore
5cd44014177c68a2e4bf08bdf8ec2e779c13a340cc830ad2c3a7a71676780b0d
NanoCore
8948c6ec9f9e49de7b8546ae27fbaf0d95cb773c27cd10a1d62a45f7608dd651
NanoCore
9e4326708091e0200c65e604aa974e6032c0533e2fa1e71d39f8d78ebacd8195
NanoCore
a4d205329a6c438c3442880287c5fb05810fb3de3bf82ddcba557176c2a6d7fd
NanoCore
d0a2be2c26efa68a6f69a4173b21c251b3c1e55b4d64cdf67394f923c9c23452
NanoCore
df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55
NanoCore
ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc
NanoCore
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510
NanoCore
+ 188 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore agilenet evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210503-gb6alr5r42/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
NanoCore
Malware Config
C2 Extraction:
79.134.225.91:4488
Unpacked files
SH256 hash:
9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
MD5 hash:
e10c403a6eec866d5772812c5edcc0a7
SHA1 hash:
8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
Link:
https://www.unpac.me/results/29c8119d-ee6d-4edc-8a03-a17bfcf1b712/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148149/

Comments