MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0
SHA3-384 hash: dad5817881bf0808e25e876172354623e3f8b6bb356c47cde10a3101ffff075ece01158d7a9e11deb210bc6a6b0c391d
SHA1 hash: 615826b8e777a816aa66953be2ee781a04f993a8
MD5 hash: c2bb2d4f92997abc98184627f82d1c17
humanhash: winter-four-arkansas-xray
File name:Request For Quotation Invoice 26-01-2022.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:695'296 bytes
First seen:2022-01-26 09:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZAF3lr1lGrSps9dh8AoX7jtfFKJ8SOpjs0s84wMur7hMl+rm:2F3lJldcia8MhwMUtQ
Threatray 2'384 similar samples on MalwareBazaar
TLSH T1E6E49CABF448C926C19D087A81DFB08D03B5F823ADCBF59E3E97F1096661B479A4510F
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
89.238.150.43:57095

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.238.150.43:57095 https://threatfox.abuse.ch/ioc/324262/

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request For Quotation Invoice 26-01-2022.exe
Verdict:
Malicious activity
Analysis date:
2022-01-26 09:49:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff98bfd8-df6d-46f7-85dc-8e2db4384dbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/223123/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61f117718581cbffe0857ff4/reports/6c8e854f-7217-4e97-8284-e5826e4a39dc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d6704bb-02c9-44be-b6c4-b73f2652f4ae
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/927809
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560285 Sample: Request For Quotation Invoi... Startdate: 26/01/2022 Architecture: WINDOWS Score: 84 76 Yara detected AntiVM3 2->76 78 Yara detected AsyncRAT 2->78 80 .NET source code contains potential unpacker 2->80 82 6 other signatures 2->82 10 Request For Quotation Invoice 26-01-2022.exe 7 2->10         started        14 chromeex.exe 2->14         started        process3 dnsIp4 68 C:\Users\user\AppData\Roaming\rJsFVhP.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\tmp82E6.tmp, XML 10->70 dropped 86 Adds a directory exclusion to Windows Defender 10->86 17 Request For Quotation Invoice 26-01-2022.exe 6 10->17         started        20 powershell.exe 21 10->20         started        22 schtasks.exe 1 10->22         started        24 Request For Quotation Invoice 26-01-2022.exe 10->24         started        74 192.168.2.1 unknown unknown 14->74 26 powershell.exe 14->26         started        28 schtasks.exe 14->28         started        file5 signatures6 process7 file8 66 C:\Users\user\AppData\Local\...\chromeex.exe, PE32 17->66 dropped 30 cmd.exe 17->30         started        32 cmd.exe 1 17->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        process9 process10 42 chromeex.exe 30->42         started        45 conhost.exe 30->45         started        47 timeout.exe 30->47         started        49 conhost.exe 32->49         started        51 schtasks.exe 32->51         started        signatures11 84 Adds a directory exclusion to Windows Defender 42->84 53 powershell.exe 42->53         started        55 schtasks.exe 42->55         started        57 chromeex.exe 42->57         started        60 2 other processes 42->60 process12 dnsIp13 62 conhost.exe 53->62         started        64 conhost.exe 55->64         started        72 89.238.150.43, 49804, 57095 M247GB United Kingdom 57->72 process14
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-26 09:42:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uobrvae7eqo6xze57p2got7a6lxgzj3w3mdpq77zuuq2q53u3xya._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
080e155065338954032cfbd27b1aa26668e65e44193c30cb86a88ba0bb229815
NanoCore
18be387adc69a0a431483d4854c0f55011bc3b93b743f81f4352921f0bcc20e9
NanoCore
53173bd6c646d3f4a8404d0f508caa27fb4ab7a3c2df3e4fe3912bfaa94093c3
NanoCore
7d1962c7ac6121291ef77096176106435182e49873b65f4438a1c45b4337672a
NanoCore
a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889
NanoCore
cc6ecb1abf601cdb52778e27f966fc67d4912af696f9649413ecc19ffbad9f24
NanoCore
ed3eae26ede1b3190f45469133d587aa44ebe1db63a2b81b925edcc49ff265c4
NanoCore
+ 2'374 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat spyware stealer
Link:
https://tria.ge/reports/220126-lpcjqsbgg2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
89.238.150.43:57095
Unpacked files
SH256 hash:
299980bf27b03b19eaa68481e77fe9d3c908feef9b486f716d2c5a3ca2e1cd09
MD5 hash:
0f600daefdc4038c4388ba6d0f170283
SHA1 hash:
f149512d8e2598e3a1e6da266025eed1a5ce5785
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/6bf194fb-c215-41c2-8c17-468b60032ff4/
Parent samples :
7d1962c7ac6121291ef77096176106435182e49873b65f4438a1c45b4337672a
1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d
a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0
SH256 hash:
f433880e9ab70ba7a1519698f8d077016432319c543b3a7b048e5de93b616e32
MD5 hash:
b09027f3769997d637c1474e4b1f3d49
SHA1 hash:
0077bfc9954411a5f1c66ff46f37c52126121788
Link:
https://www.unpac.me/results/6bf194fb-c215-41c2-8c17-468b60032ff4/
SH256 hash:
5247926388ed51a1178cb1de85bc5df1443c240ace43d7d9386edf8d7fceec02
MD5 hash:
9a6cb543f17cc6f61c016dbc8a331bc2
SHA1 hash:
62210e9d0f4d5b8101886a336feb3e1ae0eaf824
Link:
https://www.unpac.me/results/6bf194fb-c215-41c2-8c17-468b60032ff4/
SH256 hash:
a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0
MD5 hash:
c2bb2d4f92997abc98184627f82d1c17
SHA1 hash:
615826b8e777a816aa66953be2ee781a04f993a8
Link:
https://www.unpac.me/results/6bf194fb-c215-41c2-8c17-468b60032ff4/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a3831a809f24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3831a809f241debe49dfbf4674fe0f2ee6ca776db06f87ff9a521a87774ddf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/223123/

Comments