MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
SHA3-384 hash: 62be09f1627742bbff5556ebff00c87f74c5f7a8b381de80a18ef9831732413205c8102567fa54f80d05389800e72002
SHA1 hash: 5e15fd3f589d52c0b2c6e0e20e66c6b299646a59
MD5 hash: 7033ae8b4afbadb27abbd7b3b5bdb085
humanhash: georgia-juliet-pip-william
File name:NEW ORDER LIST .xls.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:684'544 bytes
First seen:2023-04-10 13:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6BX65Pf63JHFbaDoiJqLyl173SMn0XuEaWvvcCmyL/pheNQq8:6M563Lvyl17iM0Naqc4L7eNe
Threatray 1'608 similar samples on MalwareBazaar
TLSH T1FDE4022D17B1DF62C41C17FE2410494223B4D196B992E72FAF87A3C65E73B428E192E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
213.152.161.229:6324

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
NEW ORDER LIST .xls.exe
Verdict:
Malicious activity
Analysis date:
2023-04-10 13:46:29 UTC
Tags:
nanocore
Link:
https://app.any.run/tasks/23575d19-22ea-4389-8513-3aed9aad5c5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381201/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/6434131cc064c538e1b33379/reports/1fcafd0b-4fe8-42c3-b2fb-9fe737cf50b0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4e056b5-f20b-466a-b503-ac30b84baa25
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211095
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 844011 Sample: NEW_ORDER_LIST_.xls.exe Startdate: 10/04/2023 Architecture: WINDOWS Score: 100 63 moonandbebe.ddns.net 2->63 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 11 other signatures 2->75 8 NEW_ORDER_LIST_.xls.exe 7 2->8         started        12 XhqvcLIDz.exe 5 2->12         started        14 dhcpmon.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\XhqvcLIDz.exe, PE32 8->51 dropped 53 C:\Users\...\XhqvcLIDz.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmp1242.tmp, XML 8->55 dropped 57 C:\Users\user\...57EW_ORDER_LIST_.xls.exe.log, ASCII 8->57 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 79 Adds a directory exclusion to Windows Defender 8->79 81 Injects a PE file into a foreign processes 8->81 16 NEW_ORDER_LIST_.xls.exe 1 9 8->16         started        21 powershell.exe 21 8->21         started        23 schtasks.exe 1 8->23         started        25 NEW_ORDER_LIST_.xls.exe 8->25         started        83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 27 schtasks.exe 1 12->27         started        29 XhqvcLIDz.exe 12->29         started        35 2 other processes 12->35 31 schtasks.exe 14->31         started        33 dhcpmon.exe 14->33         started        signatures6 process7 dnsIp8 59 moonandbebe.ddns.net 213.152.161.229, 6324 GLOBALLAYERNL Netherlands 16->59 61 192.168.2.1 unknown unknown 16->61 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 16->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, zlib 16->47 dropped 49 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 16->49 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->65 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        43 conhost.exe 31->43         started        file9 67 Uses dynamic DNS services 59->67 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-10 13:46:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5expuynevzzxnrjpgi5lv2epkmb2ef5vrftojjyqil56xugluyfa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1d815d0d8666918b92ba9ad7d998b096401ca509258d8526ac80289cb0c009a0
NanoCore
2876998fe70b951757cb3a2394b271009228b83c58ddf201ab1cc41b6b96e741
NanoCore
4179990c8f9dcadba8045a594c139baf74a54fcf4ac0e4d65fbc556e552bb7d2
NanoCore
a6e4460f2d7a2131fccdd14dbb2a56ec379ece150689900390e88f2e7bb48be0
NanoCore
d38f12d945b3d21b3179bed6726cef23f2c4ed35cdb79e08bc93a23533abad45
NanoCore
e0291120d9a153c405fd95ca06cdff4a821837a0da3903e9f38b0e71d3132622
NanoCore
ed3d540886144d18a9f15c349cff1a89080dbb9e62ad224efbe83307af3171f2
NanoCore
+ 1'598 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230410-q2y1qahg32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Unexpected DNS network traffic destination
NanoCore
Malware Config
C2 Extraction:
moonandbebe.ddns.net:6324
127.0.0.1:6324
Unpacked files
SH256 hash:
c8770c57bd416b4e60f2449e38f55acb7162679b203fa7e6387adfa2af86f881
MD5 hash:
c31eaad859659c4d60b68a415f74cf91
SHA1 hash:
ca7995a15be9b706cbdbcdba1946790d88ac9cac
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
SH256 hash:
63d37ddbfceb3b9975d15505fbb448494dec247ae2ba82b748e9d62319459012
MD5 hash:
95d32f0c969178bf57bf9bc2d787309d
SHA1 hash:
7edee36e0e0cb608b0da5ae002c4ac259e8176b9
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
SH256 hash:
7ece6ab66a3b943cbad948fad7be7417c26152491cc3121c4e42668c8d01378b
MD5 hash:
d05596f277162f4c92b2328bf1414e71
SHA1 hash:
16c0bcb2f99e849ca02d2c5cbd21730c0983e9e9
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
SH256 hash:
e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
MD5 hash:
7033ae8b4afbadb27abbd7b3b5bdb085
SHA1 hash:
5e15fd3f589d52c0b2c6e0e20e66c6b299646a59
Link:
https://www.unpac.me/results/d8d4733f-1903-42ba-bcdb-3079d46734ac/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e92efa61a4ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381201/

Comments