MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc
SHA3-384 hash:	683ddf15294af164ba8b5cefc89e0f3c653a8d447b3c03a250ac0421ced57dd1e123263a52b9fd25c25e057939babedd
SHA1 hash:	b6b336f91fb5b5ee836b477abefe51e74211efda
MD5 hash:	694af3a8c89f728d88819c2946fe761d
humanhash:	missouri-coffee-sink-bakerloo
File name:	694AF3A8C89F728D88819C2946FE761D.exe
Download:	download sample
Signature	NanoCore Alert Create hunting rule
File size:	9'623'845 bytes
First seen:	2023-12-17 17:45:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep	196608:7+CVgP1S6vv2Otniv16ZzR2J2sRAxXENd3n9FTMF9QloB4ypE0aperhX+X:7JgFHrNZ1sRAUNd3zkQKROerhm
TLSH	T102A63302FEDAE9F3C532167448E195515537B8785F75C88F83888E8DB7B32C50A32BA6
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4f0b0d2d2b8b2b0 (1 x SystemBC, 1 x NanoCore)
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
91.92.248.48:54984

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

451

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox AsyncRat

Detection:

AsyncRat

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/468172/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Running batch commands

Launching a process

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

anti-vm lolbin overlay packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/657f33dcf4b6e5e1634dc832/reports/825abe48-31d8-474c-8626-f5a481862332/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer AZORult

Malware family:

AZORult

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e82931fa-552d-454a-a7f5-61098357ba28

Joe Sandbox Nanocore, AsyncRAT

Result

Threat name:

Nanocore, AsyncRAT

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1363655

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected Nanocore Rat

Drops executable to a common third party application directory

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sigma detected: NanoCore

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

91%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc/

ReversingLabs TitaniumCloud Win32.Backdoor.AsyncRAT

Threat name:

Win32.Backdoor.AsyncRAT

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-15 19:02:39 UTC

File Type:

PE (Exe)

Extracted files:

17

AV detection:

17 of 23 (73.91%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ox4c75k472plgdd6edylcgb434jpnhvpmsqvpnxu3ohxplpvhoa._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Hatching Triage zgrat

Result

Malware family:

zgrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:asyncrat family:zgrat rat

Link:

https://tria.ge/reports/231217-wcajqafbdj/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Async RAT payload

AsyncRat

Detect ZGRat V1

ZGRat

UnpacMe INDICATOR_EXE_Packed_SmartAssembly win_asyncrat_w0 asyncrat win_peppy_rat_auto

Unpacked files

SH256 hash:

ac2e2cd7689e0633efb6943d8b3b6e644ad9649cf99ad10e5e7c930141346b6f

MD5 hash:

8b28bd12a73fc10c0c6c0c1c78feaee7

SHA1 hash:

47ca8165e54fb98e906d15328fd1e8096c914410

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

MD5 hash:

f35a584e947a5b401feb0fe01db4a0d7

SHA1 hash:

664dc99e78261a43d876311931694b6ef87cc8b9

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

2ee3117e3e99bb0cdfd7c43aa2b9c8069f330170b60e8faec068a52485323692

MD5 hash:

3006c7523bbeb923abd948e532fe5d3e

SHA1 hash:

f292ddcdaf46ef461efb505f2842dc932ac759cf

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

109e0a699a455f819b296cf17bfa89a55c92be9b61978b49a3c9b21c7595e5bc

MD5 hash:

d944becdd81caf160e6b2b3604291807

SHA1 hash:

656a376eb618cabe3bd255042ab2f2af7dc40985

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

5bbc3142a48e64a14c421a5032a0ffcc01a44a7d8d8ce52f0542953ab730e54b

MD5 hash:

e149b41b90e26ec2a66be73048f683ac

SHA1 hash:

b656e06b426869e3cef5939c325e706f9bf0eedb

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

c9bc56136af2331ea059436c1e611affd661ffdfa73712a0af96b6f0c10d3dab

MD5 hash:

b399b5700c8b4e439371db4f5b3efd33

SHA1 hash:

1a75190ee152b2c6c2cc9c915808d836bb1a6964

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

e219af4f7f2277aa08207675013eb47d723b7073baea584c871ae77195a274f3

MD5 hash:

7d80dd91eb753e79e080ef2f2412aac6

SHA1 hash:

6f17121185443d0873e7ae2f1e9b7fdd107bae9c

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

ca1ae12ebc8f7e455c88b32a15584b2f0288b70ab55bce92fedc12097175ac7b

MD5 hash:

8fedc40edd6c61f05b12915fb67cf62c

SHA1 hash:

10527a4dac1f9af707f4170191bc682c6d6ad3c9

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Alert

Create hunting rule

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

Parent samples :

d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc
41b315e70843bdcd5a9cc1b8c8f86ddd1fd11c7423ec3842d689515743900240
e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac
1cce0e4c3b171f62ebdf5348a2d32d8c5bce25ae74c4a89f70012bb4ccfca5c1
13a16094d96f70d08628b6056bf2a0d4f1040e75712e44cad43cb296b2b09df3
4e1597543c0d63cf44db982f9c5cdb0ebdb88343ab8e8711501103d5f2ebb06b
62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954
9945a60ea4f2f1cfdae3ef85ccb74af2ee8b80d84889d3897f6c2a034cccf9c2
6d41b3409dbdabdc5109f72b190e2a54ed82b2cbb15951ac077343b2b0e81241
6dd49051e89930b88df26f0114262a5c8daf4b6aea23dd4cb83ede30a96693bd
88ddf04406650345e5587783e3deee74be768fef366b4cb0a5924c8ee53f5dca
700f4baa74b80dd4346d8d11290cd2be76add8c1c7434ecc7c43955db6a798f9
edebcf64a5d0c82ebe5162377f754aed085d9d67e51e7eeb701b0229bc802ed4
dee18c7775e76a2133c26dd2b9a638245c70b23879526bcf746d31560a42904c
076833c6d155b874c3ce21e2cc8519ccf4b4e079f2c27bb9a8acfef2106005da
7a40c32f9c5024cca47611c9629f451e49b36d83f592041d76cbf19cf0094d98
09906220a031d47b63209142dae794c1823d413450641d06a96086e80487d648
432be80b43a6e63fdbfe7487d2bd2dbba90281c03fc95a15fcac91f1f2f7c589
c328d5317e30eea13b03519f9b46f2cc0c80d08e45b9a83d3df702ac1f1604df
7bcaf39c620b923157f864ab3a85469d6f13b4525b140d26ab8ca68f50905fb9
b60e9d25fa67a6abff4209e4419b52250e447b986f8ad459113c874bc72f676c
38f215b45de95293eee5d0a4ebaf2da2341ac93bcd5b001e52bcd1b96848b96a

SH256 hash:

78462f08b0dea5aae9666e3802a19ad87766b86c7669e08d887eb5b4e1e5a29c

MD5 hash:

a29ff16b61416481e0cdc5b94ede1b47

SHA1 hash:

e8830072c37da716b9ee4a7e54c4fed7359698c4

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

68350c78fb5a84b01d548b4d3ffadb880474da81bc9748f0e1c2e2e7adf4b0e1

MD5 hash:

bd156031ebde71867a2e7e6ae5124c6f

SHA1 hash:

69a987e7761f93ff4cf26c4de84ef00ac40715fc

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

94e05d2cf49bf5563d7d4a210dd55d86a989543318c48ec8495ae898bdd223d5

MD5 hash:

2af66ef8816e2c8e03a1e90e8eb3b0b5

SHA1 hash:

e55aeffeefe7e2be619851b090e477e8222df8bf

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

42d1ca09218cc88bf9204fa34dee5825ec580497d2b0f2e867c8b19ec53c383a

MD5 hash:

69e01a4d63e83cb72e861cde2ae010a1

SHA1 hash:

ce5e28ec2369c358485d34306b547c2f1f4f0627

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

3d5dee3b4ec3745ec5f994f8fe9e6d77f030d9600600a618dea025be17042db9

MD5 hash:

e7bfdad2a47f2b3cc215f2baae560b75

SHA1 hash:

cd90db951544fb901fd9b92b38648db571296257

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

a1c2971e3f81dbccb9d1e80e00ec9a6b118e77d35ff8c9a1bce31d4693033b87

MD5 hash:

6a6782c8c7bcd5235d77f641817f8ce0

SHA1 hash:

c55fed842cb09c423c767c0ac5c3abed775a5ea4

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

8cdf757c76c7b60357841106b73eed2d75e9939fa050826211a8895e92e0f7b8

MD5 hash:

e2583e4511cb73787d0dca81e981138f

SHA1 hash:

c38395903469b10332ad5fd0c188f4cd361c4492

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

e8e3313c01c4ee2f4ff23a9a9e420e16a8a6b71b15a977cba614c036fd331b11

MD5 hash:

16e4461ca14150ececaa89d9f588d35c

SHA1 hash:

ad5407fe4b6935c3e7adce6ce8239372e358e598

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

12bedcc372822a26d0ed255e43b85b596cd6710b60fb750a3c98bc3133586b23

MD5 hash:

bc4c8080335efcfc47345a250d8d4473

SHA1 hash:

701493859a35f8cb20d1e1c185d07446fadf906c

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

092466bc359a31489aafcf647b4e8e00dd34bb0a75834307b5fb72ac81e6b870

MD5 hash:

dd5fb3fecfa55e80db04dbcae35df567

SHA1 hash:

52458625b66c03e2b0909410af6008f25ea63376

Detections:

win_asyncrat_w0

Alert

Create hunting rule

INDICATOR_EXE_Packed_SmartAssembly

Alert

Create hunting rule

asyncrat

Alert

Create hunting rule

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

216408e5e2fbb4d1055dbdb5dcc3f37f4324fe047ec38a45a38a70371b7180d9

MD5 hash:

e4c90f82a1468ab71a23dec242f7afcc

SHA1 hash:

d0b29c4699bf872b6e6ac8caa4c5aa811e456b56

Detections:

win_peppy_rat_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

SH256 hash:

d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc

MD5 hash:

694af3a8c89f728d88819c2946fe761d

SHA1 hash:

b6b336f91fb5b5ee836b477abefe51e74211efda

Link:

https://www.unpac.me/results/999cd0bd-0dce-4ba2-89a4-f73107d9c132/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Trojan

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d3afc17faae7f4f59863f1078588c1e6f897b4f57b250abdb7a6dc7bbd6fa9dc

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468172/