MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69
SHA3-384 hash: f5d9025212baba1c1d5bde39a7b843fe5921d7189fff5316f7af42ab7b3924712bb7356f3abc1027d0970c6c6acc0e23
SHA1 hash: f988d7aa9c15fd002b1f7ab2a0a5fd273e592bbd
MD5 hash: 665a89d53afdaca17a8a3255a2c37b4e
humanhash: table-venus-victor-tennis
File name:665a89d53afdaca17a8a3255a2c37b4e.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:12'288 bytes
First seen:2022-09-18 14:05:26 UTC
Last seen:2022-09-18 15:14:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:bMXUSWUFL+SV/sDRI/yih5g9WuiEguKkyosMpp:UdL+SV/o6KOdhlosa
Threatray 4'648 similar samples on MalwareBazaar
TLSH T14742D909DFDEA233DF7FD2B088718542A26091936937DFAF16D0522D1D13295A983BF4
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
95.70.139.81:54984

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.70.139.81:54984 https://threatfox.abuse.ch/ioc/850327/

Intelligence

File Origin
# of uploads :
2
# of downloads :
466
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
665a89d53afdaca17a8a3255a2c37b4e.exe
Verdict:
Malicious activity
Analysis date:
2022-09-18 14:08:15 UTC
Tags:
opendir loader trojan nanocore rat redline
Link:
https://app.any.run/tasks/f8854b85-d4b7-466e-abbb-caeca6669097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311080/
Detection(s):
SecuriteInfo.com.Variant.Tedy.176110.7252.30566.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Tedy.176110.1583.20683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632725df35180ec88e33b197/reports/2d594c5f-dbef-4617-8a3a-b9f3febd12f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/34f83de5-cdf8-456e-a856-12e3b944506b
Result
Threat name:
Nanocore, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072491
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: NanoCore
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Nanocore RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 705033 Sample: wDduAbuezS.exe Startdate: 18/09/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 16 other signatures 2->59 8 wDduAbuezS.exe 15 4 2->8         started        13 dhcpmon.exe 3 2->13         started        process3 dnsIp4 37 81.161.229.110, 49707, 49709, 49711 CMCSUS Germany 8->37 31 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\wDduAbuezS.exe.log, ASCII 8->33 dropped 61 Injects a PE file into a foreign processes 8->61 15 RuntimeBroker.exe 1 12 8->15         started        20 wDduAbuezS.exe 2 8->20         started        file5 signatures6 process7 dnsIp8 39 95.70.139.81, 49710, 49712, 49713 ASTURKNETTR Turkey 15->39 27 C:\Users\user\AppData\Roaming\...\run.dat, COM 15->27 dropped 29 C:\Program Files (x86)\...\dhcpmon.exe, PE32 15->29 dropped 43 Antivirus detection for dropped file 15->43 45 Multi AV Scanner detection for dropped file 15->45 47 Protects its processes via BreakOnTermination flag 15->47 51 2 other signatures 15->51 41 cdn.discordapp.com 162.159.134.233, 443, 49708 CLOUDFLARENETUS United States 20->41 49 Injects a PE file into a foreign processes 20->49 22 wDduAbuezS.exe 3 20->22         started        file9 signatures10 process11 dnsIp12 35 51.103.25.183, 12220, 49716, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 22->35 25 conhost.exe 22->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 14:06:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xfr4xk7zfjhspgw5uycmksxq7msmvphw3qj22yymbl6nohjfvuq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1b8211b6c45db62e042398a3d94c429941a3f91b26736cd4fdcb712b70d2c194
NanoCore
1feec92d18902bbc841954145ee920e2dff92ed61759b17e451d8e59b95336ef
NanoCore
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
NanoCore
b34fa89e905c433fba20cea1f354208d0e2d4d3bf68796ce12cc53288302a69b
NanoCore
e527276384d145defb319a3c2adeb52e7825e5a7f8f7459ebc368c31a4018f03
NanoCore
fc0b31c02af9d2ce1c9e0b408777044c7cbc917e82be46ce486550023a083f15
NanoCore
+ 4'638 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:redline botnet:cheat evasion infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220918-red8gabch6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
NanoCore
RedLine
RedLine payload
Malware Config
C2 Extraction:
95.70.139.81:54984
51.103.25.183:12220
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f79a1f3-117f-4645-acc3-9827d9e9136a
Unpacked files
SH256 hash:
edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69
MD5 hash:
665a89d53afdaca17a8a3255a2c37b4e
SHA1 hash:
f988d7aa9c15fd002b1f7ab2a0a5fd273e592bbd
Link:
https://www.unpac.me/results/0b79b61a-1a71-4d3b-8cd0-89886185d723/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/edcb1e5d5fc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2306831/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311080/

Comments