MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0a8ea18835d2511b6f4345d62743bd7374ab294b9067fbed819e37cb1642c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de0a8ea18835d2511b6f4345d62743bd7374ab294b9067fbed819e37cb1642c1
SHA3-384 hash: 67d9bfafd5d338dab28342cf1c659b7801759b449bdc1061035f9802641716df798b21138341943b189c5f37befa3336
SHA1 hash: 449dc047b26d23874afe311261101cbb754cf2d7
MD5 hash: 7c150864ebcad18d185a492b6a9163b0
humanhash: sierra-louisiana-seven-nine
File name:IMG91021606.pif.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'132'395 bytes
First seen:2022-10-26 22:40:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:4ov0SawgSwDYo5Me034nJRxi0fT7SEfxmhnlyIgdDG6D:4oLUS7jcNvx4n8S6D
Threatray 6'595 similar samples on MalwareBazaar
TLSH T1FDA52303B7D28872C2774A71AA2AFB111EB87D305E70C70A67F4452DDB715A1A23DB72
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8948ecca71e8cc10 (4 x AgentTesla, 4 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
http://107.189.4.253/bidone/inc/fce77e8ed01c65.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://107.189.4.253/bidone/inc/fce77e8ed01c65.php https://threatfox.abuse.ch/ioc/949942/

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
IMG91021606.pif.exe
Verdict:
Malicious activity
Analysis date:
2022-10-26 22:41:22 UTC
Tags:
autoit trojan nanocore rat agenttesla
Link:
https://app.any.run/tasks/bbf06f6c-5727-4f06-96d3-9fa1467bf219

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324580/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Adding an access-denied ACE
Launching a process
Creating a file in the %AppData% subdirectories
Forced system process termination
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45785/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/125dfbea-3b65-47f3-90b9-3cff0e06ee0d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1098878
Signature
Antivirus detection for dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731526 Sample: IMG91021606.pif.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 88 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected AntiVM autoit script 2->81 8 IMG91021606.pif.exe 3 33 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        15 4 other processes 2->15 process3 file4 53 C:\Users\user\AppData\Local\...\gtfwiwxp.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\Temp\...\gst.exe, PE32 8->55 dropped 17 gst.exe 35 8->17         started        21 wscript.exe 1 8->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 13->25         started        27 cmd.exe 15->27         started        process5 file6 51 C:\Users\user\AppData\Local\...\akfng.exe, PE32 17->51 dropped 83 Multi AV Scanner detection for dropped file 17->83 29 wscript.exe 17->29         started        31 gtfwiwxp.exe 2 6 21->31         started        35 gtfwiwxp.exe 1 1 23->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 gtfwiwxp.exe 25->41         started        43 conhost.exe 27->43         started        45 akfng.exe 27->45         started        signatures7 process8 file9 47 akfng.exe 29->47         started        57 C:\Users\user\AppData\Local\...\start.vbs, ASCII 31->57 dropped 61 Antivirus detection for dropped file 31->61 63 Multi AV Scanner detection for dropped file 31->63 65 Creates autostart registry keys with suspicious values (likely registry only malware) 31->65 67 Creates multiple autostart registry keys 35->67 signatures10 process11 file12 59 C:\Users\user\AppData\Local\...\start.vbs, ASCII 47->59 dropped 69 Antivirus detection for dropped file 47->69 71 Multi AV Scanner detection for dropped file 47->71 73 Creates autostart registry keys with suspicious values (likely registry only malware) 47->73 75 Creates multiple autostart registry keys 47->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de0a8ea18835d2511b6f4345d62743bd7374ab294b9067fbed819e37cb1642c1/
Threat name:
Win32.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 22:41:30 UTC
File Type:
PE (Exe)
Extracted files:
96
AV detection:
15 of 40 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yfi5imigxjfcg3pinc5mj2dxvzxjkzjjoigp67nqgpdpsywilaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
NanoCore
41344e5c95b80aaec71e1399c38731319a4151c0408f5709c2f973b430418a50
NanoCore
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
NanoCore
adb13e04eb377b8049411a827c557c9e3b788c54b6495cea68ae496ebc56f389
NanoCore
b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
NanoCore
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
NanoCore
b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847
NanoCore
+ 6'585 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221026-2l3vhshfd7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
AgentTesla
NanoCore
Malware Config
C2 Extraction:
37.139.128.94:6000
http://107.189.4.253/bidone/inc/fce77e8ed01c65.php
Unpacked files
SH256 hash:
7684cddf8889565411ce5dc651b49b41b31dd8bcf102594f9b587c1b7ac64bd6
MD5 hash:
f80fbd4b5a5a1772ffe0e5b06fbddb7d
SHA1 hash:
2a31aac8991e7bcdc5d28df951400ac2d960324e
Link:
https://www.unpac.me/results/f87037b8-2240-4001-aab7-fc0c5333adf6/
SH256 hash:
c140f7d790db09bae660f2c45b87a3f2d88bb00487dfca0d57dd3cf3d0f6e4b5
MD5 hash:
f2b5168a9ad5557823e2ba29c70b614b
SHA1 hash:
01c96f290620ed94b09d0fd05280e3c16da94ba5
Link:
https://www.unpac.me/results/f87037b8-2240-4001-aab7-fc0c5333adf6/
SH256 hash:
0e30040b4523c8f2b98d5007db86e711d6df8cfd2dffd7eb302ac87e52c74b8e
MD5 hash:
8e78f12666fbf14debb4450b8ba05e59
SHA1 hash:
e8aeabc09f64ed17c2554136f3e2e76d187434f3
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/f87037b8-2240-4001-aab7-fc0c5333adf6/
SH256 hash:
de0a8ea18835d2511b6f4345d62743bd7374ab294b9067fbed819e37cb1642c1
MD5 hash:
7c150864ebcad18d185a492b6a9163b0
SHA1 hash:
449dc047b26d23874afe311261101cbb754cf2d7
Link:
https://www.unpac.me/results/f87037b8-2240-4001-aab7-fc0c5333adf6/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/de0a8ea18835/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de0a8ea18835d2511b6f4345d62743bd7374ab294b9067fbed819e37cb1642c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324580/

Comments