MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b75a8b3848111c53d0287765fb5b8f6f2030a63a13cedcfb574a3f43bd836f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1b75a8b3848111c53d0287765fb5b8f6f2030a63a13cedcfb574a3f43bd836f
SHA3-384 hash: 1433813951c33212c5ad332b46207c2ae19fcfc85c77a4fc6b9e34d68d2f68d3ebed041e0dc3587fc62a0352922874ea
SHA1 hash: 71f22e9e6c72860ecd25efc71f542d0082213602
MD5 hash: 7e4783cc7af647a419eb2b49862d98df
humanhash: robert-music-twelve-snake
File name:A1B75A8B3848111C53D0287765FB5B8F6F2030A63A13C.exe
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:24'635'331 bytes
First seen:2021-08-30 01:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 393216:U91dbfOYigleMKcxEKBHbKPa52o5gYnkgfBqWy0x3eZFGgIzlMCcxhiLUXw1aW:AOuVKKBHbKg/kgfBqWndepIZpcxheUXA
Threatray 2'983 similar samples on MalwareBazaar
TLSH T1054733279614D7B3C10B29F0AC542677B425B6752225088FB7EDE6780B331B52EB6EF0
dhash icon 1703dc587064231f (1 x Spambot.Kelihos)
Reporter abuse_ch
Tags:exe Spambot.Kelihos


Avatar
abuse_ch
Spambot.Kelihos C2:
185.19.85.147:54999

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.19.85.147:54999 https://threatfox.abuse.ch/ioc/192582/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Moving a recently created file
Sending a UDP request
Modifying a system file
Launching a process
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Adding an access-denied ACE
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841175
Signature
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Process Start Without DLL
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473606 Sample: A1B75A8B3848111C53D0287765F... Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 100 grosjeangerard.hopto.org 2->100 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 Sigma detected: NanoCore 2->110 112 5 other signatures 2->112 10 A1B75A8B3848111C53D0287765FB5B8F6F2030A63A13C.exe 14 12 2->10         started        13 msiexec.exe 2->13         started        15 ExpressVPN_6.8.6.6583.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 94 C:\Users\user\AppData\...\bluff_Protected.exe, PE32 10->94 dropped 96 C:\...\expressvpn_6.8.6.6583.exe, PE32 10->96 dropped 98 C:\Program Files (x86)\...\Uninstall.exe, PE32 10->98 dropped 19 bluff_Protected.exe 10->19         started        23 expressvpn_6.8.6.6583.exe 3 10->23         started        26 rundll32.exe 11 13->26         started        28 rundll32.exe 11 13->28         started        30 rundll32.exe 13->30         started        32 ExpressVPN_6.8.6.6583.exe 15->32         started        34 rundll32.exe 17->34         started        36 rundll32.exe 17->36         started        38 2 other processes 17->38 process6 dnsIp7 58 C:\Users\user\AppData\...\RMActivate_isv.exe, PE32 19->58 dropped 114 Uses schtasks.exe or at.exe to add and modify task schedules 19->114 116 Writes to foreign memory regions 19->116 118 Allocates memory in foreign processes 19->118 120 Injects a PE file into a foreign processes 19->120 40 RegAsm.exe 19->40         started        102 6.8.6.65 DNIC-AS-00668US United States 23->102 60 C:\Users\user\...\expressvpn_6.8.6.6583.exe, PE32 23->60 dropped 45 expressvpn_6.8.6.6583.exe 2 80 23->45         started        64 6 other files (none is malicious) 26->64 dropped 66 6 other files (none is malicious) 28->66 dropped 68 6 other files (none is malicious) 30->68 dropped 47 ExpressVPN_6.8.6.6583.exe 32->47         started        70 7 other files (none is malicious) 34->70 dropped 72 6 other files (none is malicious) 36->72 dropped 62 C:\Windows\Installer\...\WixSharp.dll, PE32 38->62 dropped 74 11 other files (none is malicious) 38->74 dropped file8 signatures9 process10 dnsIp11 104 grosjeangerard.hopto.org 185.19.85.147, 49746, 49747, 49748 DATAWIRE-ASCH Switzerland 40->104 76 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 40->76 dropped 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->122 78 C:\Users\user\...xpressVPN_6.8.6.6583.exe, PE32 45->78 dropped 80 C:\Users\user\AppData\Local\...\mbapreq.dll, PE32 45->80 dropped 82 C:\Users\user\AppData\Local\...\mbahost.dll, PE32 45->82 dropped 90 13 other files (none is malicious) 45->90 dropped 49 ExpressVPN_6.8.6.6583.exe 30 8 45->49         started        84 C:\Users\user\AppData\Local\...\mbapreq.dll, PE32 47->84 dropped 86 C:\Users\user\AppData\Local\...\mbahost.dll, PE32 47->86 dropped 88 C:\Users\user\AppData\...\WixSharp Setup.exe, PE32 47->88 dropped 92 12 other files (none is malicious) 47->92 dropped 52 ExpressVPN_6.8.6.6583.exe 47->52         started        file12 signatures13 process14 file15 56 C:\ProgramData\...xpressVPN_6.8.6.6583.exe, PE32 49->56 dropped 54 ExpressVPN.exe 49->54         started        process16
Gathering data
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2019-12-20 08:14:37 UTC
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ug3vvczyjairyu6qfb3wl623r5xsamfghij45xh3k5fd6q55qnxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
28dac03786f358f9f18751a1e0809e61de6f29a999c45ebc42b778ecf924a880
Spambot.Kelihos
505ee92cc8ef33380562fe79e62f623a7b502e38c8f5ad7243a26a5fefe04b2f
Spambot.Kelihos
5a6ec33655b094adad729342ca628d990053825ee805d99a4e0b6108b5047e51
Spambot.Kelihos
5b2225a591d41d6e2d5cf8155f0e63115446c948633b20536e8f2fce5756a859
Spambot.Kelihos
62239c71860b849f45e1273d3bfd670f0d93d8f267ff4bac59a96e91d21944b7
Spambot.Kelihos
87ed12ca31489f4c5669a05fb47037aebebb7be8688528d4066dd75546ffcc22
Spambot.Kelihos
c3ecd490c37b81d4675c4f57cb6417e62edf45e4ce6890dc7ae7fc99d3ab207e
Spambot.Kelihos
eac8890a620d2879e7b40ac6bac679d4246f07721a2551dd8f8a9a7e74b5385d
Spambot.Kelihos
f432f50b14cb721f69809523f29c418ec34189bf8277e8881c276528bc9ba472
Spambot.Kelihos
fab230794e95cf1e3f8b01e6f4d5c61547a53c20ebe04d761226a1d119d48b2f
Spambot.Kelihos
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore discovery evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210830-tpyx9r1mb2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
NanoCore
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a1b75a8b3848/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1b75a8b3848111c53d0287765fb5b8f6f2030a63a13cedcfb574a3f43bd836f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments