MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc
SHA3-384 hash: 0d9e34ea1e7e337758aaebb79acec754fdb583d784bb07f58ab33fb0d9e7dda3100ce5edcfc804fe51dc978977befd7f
SHA1 hash: 30105048e4947f1d0689122aa63a51de3163dc8b
MD5 hash: d1b740ce54ac2c990317507e34a4c9ad
humanhash: monkey-angel-mountain-paris
File name:POFGUETG FBNM.js
Download: download sample
Signature NanoCore
Create hunting rule
File size:16'718 bytes
First seen:2025-05-30 11:06:10 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:g8hfKM9GZaBRYK/MbzZZaBUBnFWlxnKMYV7O7MUP/WEPTYYO86GPsCd9PxLhvg6l:nfFXmbGiNW4q/WCxVvgI
Threatray 1'009 similar samples on MalwareBazaar
TLSH T1897273559581C2262CB383A0672E7021FFEA4013B1BDE551F0EEDB422F759616272FCB
Magika javascript
Reporter abuse_ch
Tags:js NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.752.2814.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6839928c668438e362e871e0
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68399146985349514e5ed005/reports/03788252-2723-497a-aff9-2ab7f2562fcc/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702259
Signature
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: NanoCore
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Nanocore RAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702259 Sample: POFGUETG FBNM.js Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 44 paste.ee 2->44 46 pki-goog.l.google.com 2->46 48 3 other IPs or domains 2->48 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 16 other signatures 2->72 9 wscript.exe 1 1 2->9         started        13 dnshost.exe 4 2->13         started        15 dnshost.exe 3 2->15         started        signatures3 70 Connects to a pastebin service (likely for C&C) 44->70 process4 dnsIp5 50 paste.ee 23.186.113.60, 443, 49685, 49688 KLAYER-GLOBALNL Reserved 9->50 74 System process connects to network (likely due to code injection or exploit) 9->74 76 JScript performs obfuscated calls to suspicious functions 9->76 78 Suspicious powershell command line found 9->78 80 3 other signatures 9->80 17 powershell.exe 15 16 9->17         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        signatures6 process7 dnsIp8 42 ia600102.us.archive.org 207.241.227.242, 443, 49689 INTERNET-ARCHIVEUS United States 17->42 56 Detected Nanocore Rat 17->56 58 Creates autostart registry keys with suspicious values (likely registry only malware) 17->58 60 Creates multiple autostart registry keys 17->60 62 2 other signatures 17->62 25 MSBuild.exe 1 9 17->25         started        30 MSBuild.exe 17->30         started        32 cmd.exe 1 17->32         started        34 conhost.exe 17->34         started        signatures9 process10 dnsIp11 52 suchwoni13.duckdns.org 25->52 54 suchwoni13.duckdns.org 43.226.229.132, 20251, 49692, 49697 SOFTLAYERUS Hong Kong 25->54 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 25->38 dropped 40 C:\Users\user\AppData\Roaming\...\dnshost.exe, PE32 25->40 dropped 82 Detected Nanocore Rat 25->82 84 Creates multiple autostart registry keys 25->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->86 88 Uses threadpools to delay analysis 30->88 36 conhost.exe 32->36         started        file12 90 Uses dynamic DNS services 52->90 signatures13 process14
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-29 01:57:02 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hv3vom5jajf6txsfutov2myfhjjuljpwix5rg2cejewzpxabo6a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
054dfc79f9382fb9cb0a97870dad3ef1f5c91b7a15540a217cb3619db857307f
NanoCore
1805439355f48464312b4f9c0e16301c5f211c204e197c2000e7342c8db95c00
NanoCore
4e31d493a6e64c76ff10026b147f95c6f2982860609803d88c8738a26fa3309f
NanoCore
93b876dcdef3dbc659b47929122ef5c0737af6d24373d5b21e2a4a5ae2ff6480
NanoCore
b54e60c9821848c2ed3555992e7a413738176ceee30700fb264b0cda23b6c541
NanoCore
cc0f668960e58ed14928b9ecc674c8dce304d6ff558618fc0d7b7eb7f2287203
NanoCore
cfaae9c47bf878627929342f50da998d65f9e7912c5add3c511e6797d4c5f755
NanoCore
da4fb7c03aaca6df5146ea391788bef99ababd891dbff4b446fa008d254472c2
NanoCore
ee58fa913b4f5d0527453664b762b848404c19c23369ab6c4c893d55adbdde4b
NanoCore
error
NanoCore
+ 999 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250530-m7n6xsgl81/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
NanoCore
Nanocore family
Malware Config
C2 Extraction:
suchwoni13.duckdns.org:20251
127.0.0.1:20251
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1ebbab99d48125f4ef22d26eae99829d29a2d2fb22fd89b4222496cbee00bbc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments