MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NanoCore
Vendor detections: 15
| SHA256 hash: | b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2 |
|---|---|
| SHA3-384 hash: | 88febbf3787fcf65f4be391e0830fcf7ab3babef09b97700541d345acb160eeca533dd2131e24aaf99513b8d08e3ecee |
| SHA1 hash: | 9a22fb716a4cd3b788d76fe83727b7f72f88bd7f |
| MD5 hash: | 14b2132d5a30f91278dc7bb5e624e364 |
| humanhash: | six-sad-connecticut-artist |
| File name: | PAYMENT_.EXE |
| Download: | download sample |
| Signature | NanoCore |
| File size: | 819'712 bytes |
| First seen: | 2022-08-03 17:53:07 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 12288:CJYbSgg6SKlpxr2iN8NS+1oGeP6/2vU0USuVsoLfaiuL1xUFzZ0OCQlKU+:OSLlpxr1j+mZy/28nZK25 |
| Threatray | 6'827 similar samples on MalwareBazaar |
| TLSH | T1E405E0841357AF37F0397BB2B15590082B71512D90E2E2698EECF8EE69B1B5309F5B07 |
| TrID | 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| Reporter |  pr0xylife |
| Tags: | exe NanoCore |
Intelligence
File Origin
# of uploads :
1
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
ID:
1
File name:
PAYMENT_.EXE
Verdict:
Malicious activity
Analysis date:
2022-08-03 17:54:17 UTC
Tags:
trojan nanocore rat
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Verdict:
Malicious
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Status:
Malicious
First seen:
2022-08-03 17:54:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
8 of 40 (20.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
nanocorerat
Similar samples:
+ 6'817 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Score:
10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
194,147,5,75:5899
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
a2f7f50a4ffee238bf17ff58124968fc5c00abc9c31e9229339d81bb8966cd74
MD5 hash:
f091ecb22a7a7c37b49f1957f353aea5
SHA1 hash:
56c12ed3c2469c527f153a0b6a772bb03d296dbd
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
SH256 hash:
1705f8964f5c236633462fd39a5014dab266d579d4c6eefb65ac1ce95e22c552
MD5 hash:
23e4d54d6d369f1cef788806c92f512a
SHA1 hash:
274d8ceb73e8ed7661451c8aba24cecd830cd302
Detections:
win_nanocore_w0
Parent samples :
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
SH256 hash:
60e8c84c19b4ff2209a66c3de48999eaa07f134cfc5853a946c7e04a2758b995
MD5 hash:
e389dc69fb24716c96073f269a2e9877
SHA1 hash:
022d62379f520bc2c064dc9ab8964c8c30570050
SH256 hash:
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
MD5 hash:
14b2132d5a30f91278dc7bb5e624e364
SHA1 hash:
9a22fb716a4cd3b788d76fe83727b7f72f88bd7f
Malware family:
NanoCore
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.