MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 313519528c86c1ebd08c03ccc3a9640dcf4861c08313c89004113ee802568003. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	313519528c86c1ebd08c03ccc3a9640dcf4861c08313c89004113ee802568003
SHA3-384 hash:	2d16321916fb2f235351e954637adbded669fa05302e37bf9c1d9ce40bee1b7ef65f623bcdebff8e7e9df570d52144dc
SHA1 hash:	127013ff55defc437b41bc8442e7d2bb45c17f3b
MD5 hash:	8f7b7cf4cf5a95ac404d9f7e047293a2
humanhash:	kansas-mockingbird-video-berlin
File name:	RFQ# 33257 QUOTE.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	292'864 bytes
First seen:	2020-05-14 13:18:49 UTC
Last seen:	2020-05-14 13:57:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:bjdLqu31tiad8CWbw+JWNRN40SHfGCUohE/It2nw0M:bxhiO8jbQc0SHOwRAnw0M
Threatray	1'206 similar samples on MalwareBazaar
TLSH	D954E158755476DFC46BDDB7C9A82C68AA503073872FC347A45326ECAA4CA8B8F101F7
Reporter	James_inthe_box
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33839431.29168.23838.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Noon

Status:

Malicious

First seen:

2020-05-14 02:01:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ge2rsuumq3a6xuemapgmhklebxhuqyoaqmj4reaece7oqaswqabq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99

NanoCore

640477c11295f4211d11bc6adaf108da81e315fd31dfbb02ea2d18e3008b55e5

NanoCore

7a970d2c945adc2f8c3bbd2f57eb1d21abe8916a4f631cfed312b73847832f2b

NanoCore

8366973011083e5a6ddd8b602c3bfb70d6334e9a28a0113215197c97774d6b0c

NanoCore

892703589bb24fa5224a33805e33d6fe8691705cc353d6b8a8730cbd39ba6348

NanoCore

a68d6f1f8eac6e726187af10e2c6a7372696792cfd1b73eecbe4b77a874590a7

NanoCore

b269ac01ba383c1e9a7311cdb2af843167b3a5652d8b0791f7d61ce636a439c3

NanoCore

dbca819ad2c4de0144bdb155bc19c18dc848ca4bcf85b5cd5fba645c7e814cef

NanoCore

f7db1be127a912d2570301c528decd649d8657c7e261c2f4b6c0cc5ac754409a

NanoCore

+ 1'196 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-696ymx6twx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

donko.publicvm.com:1818
185.140.53.7:1818

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample