MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9
SHA3-384 hash: 1709b7224a797e761ce7d54b785b476f67afcbc4e65ad2fa33001ba593dfac713327a3716d762ed6419a5427d2433bd2
SHA1 hash: 431ab5dfeb73245c5550c7a2a6c650e18eaa8a69
MD5 hash: 36c3e8b4c711cb2b28d3f1e82f26ae05
humanhash: batman-carbon-quebec-echo
File name:TNT AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:949'760 bytes
First seen:2022-08-27 00:36:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:eXrnaphZGGWp+E4QjbjG3WWyKdPp7bIvWsDcWI:4ihZy1q39ysHIv/D
Threatray 5'738 similar samples on MalwareBazaar
TLSH T142151253339C8713D9BF93F5FC5214980BB26A0A6A92C7ED0CA218DF0D74B45496B72B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0c4ccdcdce8f0f0 (6 x Formbook, 6 x AgentTesla, 2 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
79.134.225.115:7688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.115:7688 https://threatfox.abuse.ch/ioc/845612/

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT AWB TRACKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2022-08-27 00:53:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2390aa4e-cb8f-45bc-a9ab-50bbc7beb039

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/301475/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1429.2519.5249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/63096789393b1c8c4717d09c/reports/02db3ac8-23d4-426a-b606-3525b51ec56d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30d8bac9-e8f1-42f7-879f-b01585da9c17
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058708
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 691221 Sample: TNT AWB TRACKING DETAILS.exe Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 52 chinomso.duckdns.org 2->52 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 15 other signatures 2->62 9 TNT AWB TRACKING DETAILS.exe 3 2->9         started        13 dhcpmon.exe 2 2->13         started        15 dhcpmon.exe 3 2->15         started        17 TNT AWB TRACKING DETAILS.exe 2 2->17         started        signatures3 process4 file5 50 C:\Users\...\TNT AWB TRACKING DETAILS.exe.log, ASCII 9->50 dropped 66 Injects a PE file into a foreign processes 9->66 19 TNT AWB TRACKING DETAILS.exe 1 13 9->19         started        24 dhcpmon.exe 13->24         started        26 dhcpmon.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 dhcpmon.exe 15->30         started        32 TNT AWB TRACKING DETAILS.exe 17->32         started        signatures6 process7 dnsIp8 54 chinomso.duckdns.org 79.134.225.115, 49756, 49766, 49768 FINK-TELECOM-SERVICESCH Switzerland 19->54 42 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\Roaming\...\run.dat, data 19->44 dropped 46 C:\Users\user\AppData\Local\...\tmp1AF3.tmp, XML 19->46 dropped 48 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->48 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->64 34 schtasks.exe 1 19->34         started        36 schtasks.exe 1 19->36         started        file9 signatures10 process11 process12 38 conhost.exe 34->38         started        40 conhost.exe 36->40         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 00:37:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5epkqobhv2ax2cufr773ygnk542vzuxh5npn5awqthk4z4o6t7mq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
42160df191b53ba66deac9a1dcb81f52f1712831a07d359d7c4bf9b5574c4707
NanoCore
66b83ea08aae693557315e3e62fcdc14e3ab57c51d43a10a4bacf1d5e05c6988
NanoCore
75d8f694cc59aaf61da837b61782e3c1004ee310918f3fc3ee34ee1b7b0c0a9d
NanoCore
771088b4c7a646b7f6f7d2d73948923f15dce833d33891889585996b5e2e3290
NanoCore
77ec85f10b4bd4847f5db6c938547d78c35417c0a5503f1a7bdd4a2594964c95
NanoCore
c27008bd825faf145c4d214450c1044c3927d01a2d7da850da862c51018d0ccd
NanoCore
e1ee64f883461b2467c9ba0efb86934add2505f1e230126a12d835a796d2f869
NanoCore
ede54ddd1ad0cc12aeb64653aee9b3d056263312bf2221ee7f640fd3fcbf11cb
NanoCore
efc5e38081320031708585d42e346cd6080b7b0bf8d16f5872f2fbe457c3c0ca
NanoCore
f8b172fef8728a9ec1ad7b73e5f59c6750d53244dbce42a769c910b673669236
NanoCore
+ 5'728 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220827-aygz2abfgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
chinomso.duckdns.org:7688
Unpacked files
SH256 hash:
600c6bea5ec99115abf4b96ce0af93a42d4ffede6995a79fa2f56a4cc35b2db2
MD5 hash:
43758a06dc74e5bf095d26737b7bebc9
SHA1 hash:
8c5ae3a3c18cc1768b32945801af7f2e6f03ebf7
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
Parent samples :
ff052f02cf5c2ce9ea22f4eea1404afd593e20196b705c02aaaf01748bb1bd2e
2bdddf286d7d4a828edab0a6669e06e208f020e70e6ead03c54a95b371c42bf4
e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9
SH256 hash:
8d5eaca9a5955c613662d98dfbda9302808d41f9e69fb38a66381696f9ef1dde
MD5 hash:
51ea12b328b7448e84735cd76ebae21b
SHA1 hash:
591550f023a09a247f9a968d13638cebab9628f0
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
SH256 hash:
7a4c0e66ced1092e023f9bf43a66320858127db574a2b172dc9c73dbfed1a606
MD5 hash:
d9da57ddae3ba583224c1ebbe4d3748e
SHA1 hash:
f64604b8adfa131803834f66d7ea873d755ea3b3
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
SH256 hash:
285a8f9243336c4baf4f748f2104dcf18296f1e71bf234f9fa738688eb5b26bc
MD5 hash:
276003263f8f970f6d0e4031f177d0a9
SHA1 hash:
06968c989c7e1e38fa412eec0366fbcae98e5bd9
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
SH256 hash:
e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9
MD5 hash:
36c3e8b4c711cb2b28d3f1e82f26ae05
SHA1 hash:
431ab5dfeb73245c5550c7a2a6c650e18eaa8a69
Link:
https://www.unpac.me/results/410fe009-58fe-47ee-8dcf-b87a98764469/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e91ea83827ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e91ea83827ae817d0a858fffbc19aaef355cd2e7eb5ede82d099d5ccf1de9fd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301475/

Comments