MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90fdaf1c8ea72c144395f8450b870865dc56f6ea3cef897464cd9e808d01c4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c90fdaf1c8ea72c144395f8450b870865dc56f6ea3cef897464cd9e808d01c4a
SHA3-384 hash: a2c2c2da6e980131474bbbfcff2983f24172945a18bad88d4c5384a60f05723b3ad2750507a7d045a2b62edb05b623bc
SHA1 hash: cb47c54bbd851526ae9223762f0a2e42c2b9f357
MD5 hash: 3fce6f41954689d04e221e67abcccef7
humanhash: london-red-nine-quebec
File name:C90FDAF1C8EA72C144395F8450B870865DC56F6EA3CEF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:20'386'577 bytes
First seen:2021-08-22 03:50:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 393216:1X4DaBIK3j81kYNInUUZecCqNPIDis6o5LWO8bbqPiaFVMwxL2jPfpsc:2Daf3uWnrZk2IDixcLP8bbqPiaFVMwx6
Threatray 1'316 similar samples on MalwareBazaar
TLSH T1D627336C328A4375C0C2B270EA1EFB74F93D6C2051BDB18BFEE591B872955692774223
dhash icon f0cc9e979796c4f0 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.19.85.147:54999

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.19.85.147:54999 https://threatfox.abuse.ch/ioc/192582/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Autoit-7004698-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/836928
Signature
Antivirus / Scanner detection for submitted sample
Drops PE files to the user root directory
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469355 Sample: C90FDAF1C8EA72C144395F8450B... Startdate: 22/08/2021 Architecture: WINDOWS Score: 32 75 ilike-share.com 2->75 77 grosjeangerard.hopto.org 2->77 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for submitted file 2->93 10 C90FDAF1C8EA72C144395F8450B870865DC56F6EA3CEF.exe 14 13 2->10         started        13 rundll32.exe 2->13         started        15 soafw.exe 2->15         started        signatures3 process4 file5 67 C:\Users\user\AppData\Roaming67vidia.exe, PE32 10->67 dropped 69 C:\Users\user\AppData\Roamingbehaviorgrapheforce.exe, PE32 10->69 dropped 71 C:\...\iphone_data_recovery_pro.exe, PE32 10->71 dropped 73 C:\Program Files (x86)\...\Uninstall.exe, PE32 10->73 dropped 17 Geforce.exe 1 5 10->17         started        20 iphone_data_recovery_pro.exe 2 10->20         started        22 Nvidia.exe 10->22         started        process6 file7 49 C:\Users\user\AppData\Local\...\soafw.exe, PE32 17->49 dropped 24 soafw.exe 17->24         started        51 C:\Users\...\iphone_data_recovery_pro.tmp, PE32 20->51 dropped 28 iphone_data_recovery_pro.tmp 28 55 20->28         started        53 C:\Users\user\AppData\Local\...\edjgdt.exe, PE32 22->53 dropped 30 edjgdt.exe 22->30         started        process8 file9 55 C:\Users\user\soafw.exe, PE32 24->55 dropped 57 C:\Users\user\yaafynm\soafw.exe (copy), PE32 24->57 dropped 95 Drops PE files to the user root directory 24->95 32 cmd.exe 24->32         started        35 soafw.exe 24->35         started        59 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->59 dropped 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->61 dropped 63 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 28->63 dropped 65 28 other files (none is malicious) 28->65 dropped 37 chrome.exe 14 418 28->37         started        40 iLike iPhone Data Recovery Pro.exe 3 2 28->40         started        signatures10 process11 dnsIp12 89 Uses schtasks.exe or at.exe to add and modify task schedules 32->89 42 conhost.exe 32->42         started        44 schtasks.exe 32->44         started        79 192.168.2.1 unknown unknown 37->79 81 239.255.255.250 unknown Reserved 37->81 46 chrome.exe 23 37->46         started        signatures13 process14 dnsIp15 83 accounts.google.com 142.250.186.173, 443, 49711 GOOGLEUS United States 46->83 85 googlehosted.l.googleusercontent.com 142.250.74.193, 443, 49739, 49740 GOOGLEUS United States 46->85 87 12 other IPs or domains 46->87
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-05-14 10:14:11 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeh5v4oi5jzmcrbzl6cfbodqqzo4k33ouphprf2gjtm6qcgqdrfa._file
Verdict:
malicious
Similar samples:
149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4
NanoCore
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
NanoCore
588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a
NanoCore
77d83370f3109b9a0c199c60870edd92184c170abfc2f1817cd625245fcfae10
NanoCore
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
NanoCore
afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823
NanoCore
b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
NanoCore
b89620cbc9ac44fd7d39e58b04083b674342f3aa55ed9752160fbf6d2e34b785
NanoCore
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
NanoCore
+ 1'306 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210822-vrr5dspfh2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c90fdaf1c8ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c90fdaf1c8ea72c144395f8450b870865dc56f6ea3cef897464cd9e808d01c4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments