MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4
SHA3-384 hash: 994439cf240aff5fdfe4aeaa7ab1abf9a9feb1a8ec42b3ca41e69bf73cba1131b07c10bffdb1648e06583e8f2ffe38b6
SHA1 hash: 3075bbe9442fa6da3c25d2366ee58f5fafd638d9
MD5 hash: 34796749977d59cfcbc434740472d76d
humanhash: colorado-wolfram-south-mars
File name:34796749977d59cfcbc434740472d76d.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:791'040 bytes
First seen:2022-03-28 16:25:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:BbHchFHNI+4Ki3Z6LiuZGrb7zjopMiNeb6CD+:BbHchlNih6LiuZkb7H0Nz
Threatray 5'668 similar samples on MalwareBazaar
TLSH T14AF4E0EC29BA01F9F3268EFE5EDCF5B0CB79E2212104F4B978D91B025741B4099D2679
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.5.98.148:6776

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.148:6776 https://threatfox.abuse.ch/ioc/390269/

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258681/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.94.24751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6241e19c1f20423948437d57/reports/7cf93126-1e48-4229-acb3-718ebb89a637/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50c191f7-4573-4f07-850d-93e08973acf7
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966024
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: NanoCore
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598505 Sample: kAotvGuQ7L.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 19 other signatures 2->50 7 kAotvGuQ7L.exe 7 2->7         started        11 dhcpmon.exe 2 2->11         started        process3 file4 28 C:\Users\user\AppData\Roaming\areHUwS.exe, PE32 7->28 dropped 30 C:\Users\user\...\areHUwS.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp69B7.tmp, XML 7->32 dropped 34 C:\Users\user\AppData\...\kAotvGuQ7L.exe.log, ASCII 7->34 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Writes to foreign memory regions 7->54 56 Allocates memory in foreign processes 7->56 58 2 other signatures 7->58 13 RegSvcs.exe 1 10 7->13         started        18 powershell.exe 24 7->18         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        signatures5 process6 dnsIp7 40 azuite1.ddns.net 194.5.98.148, 49784, 49786, 49789 DANILENKODE Netherlands 13->40 42 192.168.2.1 unknown unknown 13->42 36 C:\Users\user\AppData\Roaming\...\run.dat, data 13->36 dropped 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->38 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->60 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 12:20:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ajwitmtq7rd57swnem2bd2nipwd5jzupryefqgolrtqhuvp3pka._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
55aea4a4530e0aa4d13d4c68b9027e6a215bc4a4eaa87d2a8bfdc2c443dd3d7c
NanoCore
862965d573744607a29489905cfc8abdd8f187874d476ef4263eee7e5175630a
NanoCore
db7d1bc1cf6fb7fdbc3d0fc2c67c97ed89aa316d6bcb4c4e6ce942c9145612fc
NanoCore
+ 5'658 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220328-txhdyscae3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
azuite1.ddns.net:6776
127.0.0.1:6776
Unpacked files
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/fd0771f1-9bc1-4128-89c0-52d169c4168b/
SH256 hash:
315434c21cef36372aa8d88c612e56abc802fd4e4427085ca27905dd1ac9cd2c
MD5 hash:
482543e63f77b5d5ffd11b2df240e461
SHA1 hash:
4f618f219808937cd2c33b43d0922a71af6f1c80
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/fd0771f1-9bc1-4128-89c0-52d169c4168b/
Parent samples :
a7693434e775cf120cec21c7380f70b9e8914f7dd02019e953d5af4af0147a39
edbcf263dcdc843c1f1adf5f8c8c0e476f4d5d8da6771c729b863f55033f8d75
a95dc0b5b3f5c4346729e1e45c7d5d69736b273e9b5ef4187326c973d463d55c
7710c5dd03c6a4c1e75e492e4fab9fb0ddc928497c1442d52417a41745d9c097
34bb8ab4f4af2b2834e83d1cbab2bc16baa1a0c536d0721531b4072fb40629df
951791738b8256d710fb1c7b0960a4ff30636371ed39346a93bc5a9500614769
d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4
SH256 hash:
37e60bf400608641da379ecdda16f9366e98ae45f79d024d9c5e4dca05159b93
MD5 hash:
ca4286df6d80302d825ee40336a00734
SHA1 hash:
3bae33ba25af528331c9135cfee3a716146c9791
Link:
https://www.unpac.me/results/fd0771f1-9bc1-4128-89c0-52d169c4168b/
SH256 hash:
73cd4f6b8c1843e8af247a81700e991bd7593d0b5a345c4d2081237ce63eca1d
MD5 hash:
5a0c694113765a16a9cfc9973b0e4cf8
SHA1 hash:
34e7cb8d8d46a6f531c77e5d497441e83e58c58e
Link:
https://www.unpac.me/results/fd0771f1-9bc1-4128-89c0-52d169c4168b/
SH256 hash:
d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4
MD5 hash:
34796749977d59cfcbc434740472d76d
SHA1 hash:
3075bbe9442fa6da3c25d2366ee58f5fafd638d9
Link:
https://www.unpac.me/results/fd0771f1-9bc1-4128-89c0-52d169c4168b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258681/

Comments