MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811
SHA3-384 hash: 4a2e1458b12727b1ae1e353122712634de8012b50157170e08106ffad50125ce5538baad0ef0975f2c7f9d18f57c7f7d
SHA1 hash: dc73d785c3e899a58a5616239e89d3fd3d49bb93
MD5 hash: 61d8ca5f3ec331a08c9032840b99eb5b
humanhash: berlin-nuts-double-pip
File name:ConsoleSniffer v4.1 installer.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:8'257'024 bytes
First seen:2021-06-20 07:23:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:ZqD6pzTpQLf6OYIwLZxdTM2GAGcFb8NPwp6jyqoqf0Pb1pur:KMvzLdTL9b8Ndjy5+
Threatray 286 similar samples on MalwareBazaar
TLSH 6986334E26CA75F4C0CBC47AD404479E04E02987B65790816DD02BEB52EA7FA9ED386F
Reporter ShinigamiOwl
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Console Sniffer Cracked.7z
Verdict:
Malicious activity
Analysis date:
2021-02-17 07:32:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bec9729d-79de-4ca3-9ce4-9b49f72e7c99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FirebirdRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167142/
Detection(s):
Win.Packed.Generic-9805835-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffb41ca7-c66b-438c-b365-dd1b6c18c021
Result
Threat name:
Hive RAT
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/804860
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Injects a PE file into a foreign processes
Install WinpCap (used to filter network traffic)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Hive RAT
Yara detected MultiObfuscated
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437271 Sample: ConsoleSniffer v4.1 installer.exe Startdate: 20/06/2021 Architecture: WINDOWS Score: 70 104 Antivirus detection for dropped file 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 10 other signatures 2->110 8 ConsoleSniffer v4.1 installer.exe 10 2->8         started        12 name.exe 4 2->12         started        14 Installer.exe 2->14         started        16 14 other processes 2->16 process3 dnsIp4 80 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->80 dropped 82 C:\Users\user\AppData\Local\...\name.exe.bat, ASCII 8->82 dropped 84 C:\...\ConsoleSniffer v4.1 installer.exe.log, ASCII 8->84 dropped 86 C:\Users\user\AppData\Local\Temp\File.exe, PE32 8->86 dropped 112 Writes to foreign memory regions 8->112 114 Allocates memory in foreign processes 8->114 116 Injects a PE file into a foreign processes 8->116 19 File.exe 14 30 8->19         started        22 cmd.exe 3 8->22         started        24 cmd.exe 1 8->24         started        34 2 other processes 8->34 88 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 12->88 dropped 118 Antivirus detection for dropped file 12->118 120 Machine Learning detection for dropped file 12->120 26 cmd.exe 12->26         started        28 cmd.exe 12->28         started        30 svhost.exe 12->30         started        90 C:\Windows\SysWOW64\Packet.dll, PE32 14->90 dropped 92 C:\Windows\SysWOW64\wpcap.dll, PE32 14->92 dropped 122 Install WinpCap (used to filter network traffic) 14->122 32 Installer.exe 14->32         started        100 127.0.0.1 unknown unknown 16->100 124 Changes security center settings (notifications, updates, antivirus, firewall) 16->124 37 2 other processes 16->37 file5 signatures6 process7 dnsIp8 62 C:\Program Files (x86)\...\n, PE32 19->62 dropped 64 C:\Program Files (x86)\...\c, PE32 19->64 dropped 66 C:\Program Files (x86)\...\ConsoleSniffer.exe, PE32 19->66 dropped 76 13 other files (1 malicious) 19->76 dropped 39 vcredist_x86 - 2012 update 4.exe 1 19->39         started        41 Launcher.exe 19->41         started        68 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 22->68 dropped 43 conhost.exe 22->43         started        45 conhost.exe 24->45         started        47 timeout.exe 1 24->47         started        70 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 26->70 dropped 49 conhost.exe 26->49         started        51 conhost.exe 28->51         started        72 C:\Windows\System32\wpcap.dll, PE32+ 32->72 dropped 78 2 other files (none is malicious) 32->78 dropped 102 77.247.127.140, 6608 CLOUVIDERClouvider-GlobalASNGB United Kingdom 34->102 53 conhost.exe 34->53         started        74 C:\Windows\System32\...\SET6CA.tmp, PE32+ 37->74 dropped 55 conhost.exe 37->55         started        file9 process10 process11 57 vcredist_x86 - 2012 update 4.exe 39->57         started        60 msiexec.exe 41->60         started        file12 94 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 57->94 dropped 96 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 57->96 dropped 98 C:\Users\user\AppData\Local\...\MSIE69E.tmp, PE32 60->98 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-09 14:34:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unbogmt7yjmmcy2p7wpcp4ddlpjnzcxk3kid2lfmbrpbvmxabaiq._file
Verdict:
unknown
Similar samples:
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
NanoCore
34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808
NanoCore
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
NanoCore
46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a
NanoCore
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
NanoCore
48c1378f5e48ec365691bf3cf9c44f381e181c0e669df0169ff057c2cf8917f8
NanoCore
5ce9dedae33e348bed0fc2fa2f8831adc8263177b7d2674dc634cd2709beba09
NanoCore
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
NanoCore
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
NanoCore
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
NanoCore
+ 276 additional samples on MalwareBazaar
Result
Malware family:
hiverat
Create hunting rule
Score:
  10/10
Tags:
family:hiverat rat stealer
Link:
https://tria.ge/reports/210620-z8p3p7r522/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
HiveRAT Payload
HiveRAT
Unpacked files
SH256 hash:
708c9ab1f4e7627e76023c79e73f2d3ffe766920afe6e27338111b92f491dc24
MD5 hash:
2953eeafec54c265f7a6b27a49a763fd
SHA1 hash:
f7ed53b2b5ec1881373b46b5c02f03de5c7d09ef
Link:
https://www.unpac.me/results/0c43f074-ea0f-4bf7-9709-c47ad1e129b0/
SH256 hash:
37d62e5d330a6a1fe27f7fe8efa9c1ffca0254bab3307fd38ff7f08d29d144c3
MD5 hash:
ec462a224d13e7c6973b520c78fedcf4
SHA1 hash:
f7486d1b54ae1e4589ec4492bc0650fadfab0f53
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/0c43f074-ea0f-4bf7-9709-c47ad1e129b0/
SH256 hash:
12d3242533932a3f86a072859a2bde62c4b091b3812d41f23760e4d760660b6d
MD5 hash:
583d229f796c5f059222f276b6ba9f21
SHA1 hash:
54d584ef1ac7bbc9ced0ed8794cab7113edce2a0
Link:
https://www.unpac.me/results/0c43f074-ea0f-4bf7-9709-c47ad1e129b0/
SH256 hash:
3687c239bef350048ec98efe4954eeec0a2d1adc6b4cc1eb64139769341c2bb4
MD5 hash:
888eb61fe6c53788d3b93b29deb33ff5
SHA1 hash:
876589d9e27dfea18862779a0200781abe115bff
Link:
https://www.unpac.me/results/0c43f074-ea0f-4bf7-9709-c47ad1e129b0/
SH256 hash:
a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811
MD5 hash:
61d8ca5f3ec331a08c9032840b99eb5b
SHA1 hash:
dc73d785c3e899a58a5616239e89d3fd3d49bb93
Link:
https://www.unpac.me/results/0c43f074-ea0f-4bf7-9709-c47ad1e129b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_FirebirdRAT
Create hunting rule
Author:ditekSHen
Description:Firebird/Hive RAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167142/

Comments