MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae82fbab9d30ba8a6f7c542855fdd7f51a7ed3f777fc3fd1c2b1c20f22f776ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae82fbab9d30ba8a6f7c542855fdd7f51a7ed3f777fc3fd1c2b1c20f22f776ac
SHA3-384 hash: 08b4b00026f2403f5f7449f8553f21fc670bff516f2af30dcc2320862cc52bfc368877530478b65dd4b790215f619c43
SHA1 hash: 10f28cbbc1046b857bf38b234b0800411a6ff262
MD5 hash: 6d1ae53f039b71951425e5ccb76b5fc9
humanhash: triple-uncle-charlie-pluto
File name:XKZMK092599.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:829 bytes
First seen:2021-05-29 12:11:05 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:ffoRKzZnRKziRjUW12C8EN0XOyQv/ReeRKzVn:ffoeZebs5N0Xax5eVn
Threatray 2'699 similar samples on MalwareBazaar
TLSH 7C016675F73D57F05634A2EA87EC05C19F5C82DF70A4B89D8E266E5DB4BE0B81683028
Reporter abuse_ch
Tags:NanoCore RAT vbs


Avatar
abuse_ch
NanoCore C2:
51.81.105.225:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.81.105.225:1177 https://threatfox.abuse.ch/ioc/66781/
207.32.217.113:9090 https://threatfox.abuse.ch/ioc/66782/

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163176/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Running batch commands
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794230
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Powershell creates an autostart link
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426626 Sample: XKZMK092599.vbs Startdate: 29/05/2021 Architecture: WINDOWS Score: 100 57 elmerfloyd.com 2->57 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Yara detected Powershell download and execute 2->69 71 6 other signatures 2->71 14 wscript.exe 1 2->14         started        signatures3 process4 signatures5 85 VBScript performs obfuscated calls to suspicious functions 14->85 87 Wscript starts Powershell (via cmd or directly) 14->87 17 powershell.exe 14 28 14->17         started        process6 dnsIp7 51 firasaliworkshop.org 66.45.250.212, 443, 49730, 49744 IS-AS-1US United States 17->51 53 zeh5rw.am.files.1drv.com 17->53 55 3 other IPs or domains 17->55 47 C:\Users\Public\msi.ps1, ASCII 17->47 dropped 73 Creates an undocumented autostart registry key 17->73 75 Bypasses PowerShell execution policy 17->75 77 Powershell creates an autostart link 17->77 22 powershell.exe 14 17->22         started        25 powershell.exe 16 17->25         started        27 conhost.exe 17->27         started        file8 signatures9 process10 signatures11 79 Writes to foreign memory regions 22->79 81 Injects a PE file into a foreign processes 22->81 29 MSBuild.exe 1 4 22->29         started        process12 dnsIp13 59 aliveafterguard.icu 51.81.105.225, 1177, 49751, 49753 OVHFR United States 29->59 49 C:\Users\user\AppData\Local\Temp\ryqkry.js, ASCII 29->49 dropped 33 cmd.exe 1 29->33         started        file14 process15 signatures16 61 Suspicious powershell command line found 33->61 63 Wscript starts Powershell (via cmd or directly) 33->63 36 powershell.exe 3 11 33->36         started        38 conhost.exe 33->38         started        process17 process18 40 wscript.exe 36->40         started        signatures19 83 Wscript starts Powershell (via cmd or directly) 40->83 43 powershell.exe 40->43         started        process20 process21 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae82fbab9d30ba8a6f7c542855fdd7f51a7ed3f777fc3fd1c2b1c20f22f776ac/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 12:11:11 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2bpxk45gc5iu334kqufl7ox6unh5u7xo76d7uocwhba6ixxo2wa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
305bf6557bcc3df14cf33993d14e03fa84a6bd7611a990402fae4522ff098454
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
9fc2ec9a478ddf812c9687c805f340989dc0af33b48100ec6621e422035ce579
NanoCore
a1fba3b877a576f41850e0696a9ae45e4419de786d1fb2ed164b2c3c0aa97917
NanoCore
cce5d9e4fd5ca9142510f3b21d0a73906171e90a815520985687dde13b6e643d
NanoCore
e11f59ce9dae9fcff7ff4c8d3d119dd663a1918d084f8cda7b30c474cd141642
NanoCore
+ 2'689 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210529-hd9gz7b5bj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
Dropper Extraction:
https://onedrive.live.com/download?cid=D307CDD4938F2AA9&resid=D307CDD4938F2AA9%21114&authkey=AFBLwPN7_9nUyGI
https://firasaliworkshop.org/nor/bb.ps1
https://firasaliworkshop.org/nor/dim.bat
https://firasaliworkshop.org/nor/dim.lnk
https://firasaliworkshop.org/nor/dim1.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae82fbab9d30ba8a6f7c542855fdd7f51a7ed3f777fc3fd1c2b1c20f22f776ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163176/

Comments