MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf
SHA3-384 hash:	caeda98c6331c4f613ae195e5dfb518dddce5efaca6c29184176a8049c692220259e7d0a97fcc551a894ccdbb5ef5204
SHA1 hash:	08c29ec1b310dc2e82cffdb72f528f4cc6781e6b
MD5 hash:	cccb899d6c57a95d4266155e87a8aabe
humanhash:	zulu-connecticut-lemon-alpha
File name:	cccb899d6c57a95d4266155e87a8aabe
Download:	download sample
Signature	NanoCore Alert Create hunting rule
File size:	1'065'984 bytes
First seen:	2023-12-22 18:52:59 UTC
Last seen:	2023-12-22 20:15:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:aYuEMZHyBMBDo+2NIivRIvnUcgcACFr8InJHY5Q2nakmep4VZLzH/n0xDhmuWJi:ArVJcIXUNc1wIpY5QNkmeuRUDJ
Threatray	11 similar samples on MalwareBazaar
TLSH	T121359C553098C08BC717AAB31751EDF24D2A1E3DBD45E70524CDFA4B37B06AECA029DA
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe NanoCore

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

400

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN nanocore

Malware family:

nanocore

Alert

Create hunting rule

ID:

1

File name:

168__DG54535TM_Metallwarenfabrik.xlsx

Verdict:

Malicious activity

Analysis date:

2023-12-22 17:43:03 UTC

Tags:

nanocore rat remote loader exploit cve-2017-11882

Link:

https://app.any.run/tasks/f3860f18-ca04-4400-bfb8-78ff54854110

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox NanoCore

Detection:

NanoCore

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/469073/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.23621.17920.UNOFFICIAL

Alert

Create hunting rule

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

evasive packed

Link:

https://www.filescan.io/uploads/6585db0fb855eb3693ee0ee7/reports/5d47084e-3938-4eb9-83e1-4ac1c1c14bf9/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer NanoCoreRAT

Malware family:

NanoCoreRAT

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d7dc4b3-8041-4910-aefc-11290b7f7693

Joe Sandbox Nanocore

Result

Threat name:

Nanocore

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366364

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

94%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf

CERT.PL MWDB nanocore

Detection:

nanocore

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Zusy

Threat name:

ByteCode-MSIL.Trojan.Zusy

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-22 18:53:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

39

AV detection:

17 of 23 (73.91%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4iiza2mfmf7w5ttey4yjvrqle3qth3swzg4qc3hcdbxsvzy5r3hq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0d14d4e3b742bfea99aebb68954101b2509b7c92de33d27006fe81110e5ea3ae

NanoCore

20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5

NanoCore

50c57233d3be4189fc1d3512d523f2dd6e2dbcdce66193bc7ee341c3c251a800

NanoCore

9e8236c0031bc36b82d7d6964a8f46ba037bc826c4eb7a23ea74e4e1f4f6b643

NanoCore

b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210

NanoCore

bba099a7d260b2f39a2e84ffbabfc021d1ffaa1c13f38fc5c6c72b27bc476515

NanoCore

ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a

NanoCore

+ 1 additional samples on MalwareBazaar

Hatching Triage nanocore

Result

Malware family:

nanocore

Alert

Create hunting rule

Score:

  10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231222-xjl2rsfdf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

globron.duckdns.org:9192

UnpacMe

Unpacked files

SH256 hash:

e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf

MD5 hash:

cccb899d6c57a95d4266155e87a8aabe

SHA1 hash:

08c29ec1b310dc2e82cffdb72f528f4cc6781e6b

Link:

https://www.unpac.me/results/e377bdb4-4d6b-445e-9f11-88b2f27550c1/

VMRay NanoCore

Malware family:

NanoCore

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e21190698561/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

exe e211906985617f6ece64c7309ac60b26e133ee56c9b9016ce2186f2ae71d8ecf

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2743777/

Cape

https://www.capesandbox.com/analysis/469073/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-22 18:53:00 UTC

url : hxxp://www.bcmnursing.com/QubpyznbC7neo.exe