MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82
SHA3-384 hash:	2744a7860a8ca6326a5d938f0bad82e863281c73e5905dde0ecf7b55bb7589a27c94731c183cba4fffd6c44c78068a27
SHA1 hash:	39a4ec8b8ee0e78a0cfe347dd37893b433e19747
MD5 hash:	b67a8155bd5e9c453bbc8420fa1fe955
humanhash:	lima-mobile-apart-magnesium
File name:	SecuriteInfo.com.Trojan.GenericKD.43501961.36.20076
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'327'104 bytes
First seen:	2020-07-17 08:41:00 UTC
Last seen:	2020-07-17 09:37:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0c5b8cda113321af99181107d17acd11 (1 x NanoCore)
ssdeep	24576:1FWK+XwwXlUDr8nLJ3pZoWzmCXw1dfovHFqTEmtK8sXf:121Uv1dfKF5DZP
Threatray	226 similar samples on MalwareBazaar
TLSH	2F554CAD3890E376F99D02303C168CD0DA9EB93A48118566FF7767A47A3149FD048BDB
Reporter	SecuriteInfoCom
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/27277/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43501961.36.20076.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Creating a file

Deleting a recently created file

Reading Telegram data

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389036

Signature

Antivirus / Scanner detection for submitted sample

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Potential malicious icon found

Sample uses process hollowing technique

Sigma detected: NanoCore

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-07-16 18:26:00 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2tgz4gu3u2fqaggnfjipywc2vfhb6mislw77tjhyl4uowwjzkba._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

nanocore

Score:

10/10

Tags:

persistence evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200717-2kd9c74lxs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

se7ense7en.hopto.org:1759

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/