MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172
SHA3-384 hash: 1bd6bd336fdeb43717c5787d4eae759bf5bfef571fa419ffd844b946cbcfc76097b6a3fbb1e7b3d87829a8254a6ae5cd
SHA1 hash: ca1a5cefafcd9e4f37bb3880d96aa0fb86043cf1
MD5 hash: 72208e35ab96b53baffd99165d2f50cb
humanhash: speaker-failed-speaker-fillet
File name:DHLAWB# 9284880911 pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:791'040 bytes
First seen:2021-05-03 02:05:21 UTC
Last seen:2021-05-03 12:50:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:25+tz1qUQFb6Jn7Hqty7Q6gUKljtD8hgeo2JvKy12cmLqfnkp6gM:2oJ1qLFba7QyE6ghVt8geJ52cmLqf5g
Threatray 67 similar samples on MalwareBazaar
TLSH 38F41221B35CEF05D57E577809322D106FF4E50EDBA6EB0AFE6860DD1466E8602A2F13
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
23.105.131.171:4040

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.105.131.171:4040 https://threatfox.abuse.ch/ioc/28090/

Intelligence

File Origin
# of uploads :
4
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148079/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.9791.29306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706865
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk5sdgs6z6qefxexur5o3kfgg72j44hatlz7pnjppf2ppmodsfza._file
Verdict:
unknown
Similar samples:
507dd7e9ab7c21513c515ff90f21a0b79b2b7b5a907c9fef6a6589308b84b169
NanoCore
5cdc13420f4812754d41158ca2015d69c2d7c903f1b00f90db14705eee8f8cc8
NanoCore
5eda4d8e1c09d096abc2f2697045cd0f2e683041996b375f511701deba3e73a4
NanoCore
84228b439980a337d1ebc688d6b5838f74f9aec40fd46133591489aad3e2a40e
NanoCore
953dbb9ca35863510d6d914e086589d8609b86e41b48e75c69d91309ac5d0422
NanoCore
bad8f00ba21fa345e1ef7a8120ef4b8468f719e5c9214372864ec65f187f32d5
NanoCore
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
NanoCore
fc7e525dc299db52088c9ffe5432c60fb0db2ad700cfa9ddf8310b38574f90e0
NanoCore
fd5bc14dfef4ce87d17e11189789c91c56212b2a46532d42a77f5ceb79620b99
NanoCore
ff2020d1de8cadf2705002dc3d02b1d5fd2de4b74b3a42ef7215c937d70867b4
NanoCore
+ 57 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210503-1g3e66zvwe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
23.105.131.171:4040
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/e46dbb03-f159-48b1-8e53-8bf46fc1a2cf/
SH256 hash:
a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172
MD5 hash:
72208e35ab96b53baffd99165d2f50cb
SHA1 hash:
ca1a5cefafcd9e4f37bb3880d96aa0fb86043cf1
Link:
https://www.unpac.me/results/e46dbb03-f159-48b1-8e53-8bf46fc1a2cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148079/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 03:01:09 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection