MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 8 File information Comments

SHA256 hash:	116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06
SHA3-384 hash:	ec0e1a5a0258662cfc05f1a684f7f66ccffc5bce992600296a3770b3602b0f9c68330166de385df3da72feff931f1be7
SHA1 hash:	8c29b1198cd2a0bebd5c798b9d7572aa18d70a7f
MD5 hash:	842f165abb3389385c52ad52a72235e9
humanhash:	gee-skylark-mississippi-washington
File name:	G8b1n3m27zInvoicereceipt.vbs
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	731 bytes
First seen:	2021-08-11 16:16:36 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12:dXVlTX7Fl9kQOGv9IXeNcMf+8irXWMMeRo8N5zliwqhP/jvVlg7:Tl7FeG9geNcxXLMeyMgV67
Threatray	2'547 similar samples on MalwareBazaar
TLSH	T194012801B952F1F39106F747DDF11279A6E7B6A49891E595206C829F00BB8AE2E83E50
Reporter	abuse_ch
Tags:	NanoCore RAT vbs

abuse_ch

NanoCore C2:
20.185.47.68:3500

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
20.185.47.68:3500	https://threatfox.abuse.ch/ioc/171886/

Intelligence

File Origin

# of uploads :

# of downloads :

415

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/178346/

Detection(s):

SecuriteInfo.com.Trojan.Script.Wacatac.Bml.21384.15761.UNOFFICIAL

Result

Verdict:

UNKNOWN

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/831135

Signature

Creates an undocumented autostart registry key

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06/

Threat name:

Script.Downloader.Heuristic

Status:

Malicious

First seen:

2021-08-11 16:17:08 UTC

AV detection:

3 of 46 (6.52%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cfvkppcx2wicbzdjyunmxazl7ncpuee2mukv5f2jkbqwrbqpnyda._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

62820764aa07d5d7aa0cd0f3f6decc6aa576fcd411e7561646151aa77d765174

NanoCore

88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b

NanoCore

a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825

NanoCore

ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d

NanoCore

c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11

NanoCore

eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd

NanoCore

+ 2'537 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer suricata trojan

Link:

https://tria.ge/reports/210811-pyse8pbh6s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

NanoCore

suricata: ET MALWARE DTLoader Binary Request M2

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

augcavite.duckdns.org:3500

Dropper Extraction:

https://transfer.sh/1yMN9Zg/bypass.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178346/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample