MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925
SHA3-384 hash: 9ab61d628e4558c69df89e8135140a5a590308336d88b914d9f7fe67e62c5a36f2cef5a7cac6bf7f1930d98536df1746
SHA1 hash: cd063687d91fbca5fb2652333af88189096c6d23
MD5 hash: c55bd79f51ca18a55570699534e33250
humanhash: artist-enemy-hot-mike
File name:item_sheet_728_2020_PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:749'056 bytes
First seen:2020-07-29 05:24:40 UTC
Last seen:2020-07-29 05:50:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:LRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXKY3auRSUeKXXepb:Lfd8z4byilBdlGX33aISUpXupb
Threatray 3'004 similar samples on MalwareBazaar
TLSH 31F49E66B2E14933D1A71E789C1B57649F3BBE002E2859C62FFC1C4C9F397813866297
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nanocore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34123/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401190
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252809 Sample: item_sheet_728_2020_PDF.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 14 other signatures 2->94 10 item_sheet_728_2020_PDF.exe 2->10         started        13 item_sheet_728_2020_PDF.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 98 Detected unpacking (changes PE section rights) 10->98 100 Detected unpacking (creates a PE file in dynamic memory) 10->100 102 Detected unpacking (overwrites its own PE header) 10->102 104 Contains functionality to detect sleep reduction / modifications 10->104 19 item_sheet_728_2020_PDF.exe 1 14 10->19         started        24 item_sheet_728_2020_PDF.exe 10->24         started        106 Maps a DLL or memory area into another process 13->106 26 item_sheet_728_2020_PDF.exe 13->26         started        28 item_sheet_728_2020_PDF.exe 3 13->28         started        30 dhcpmon.exe 15->30         started        32 dhcpmon.exe 15->32         started        34 dhcpmon.exe 17->34         started        36 dhcpmon.exe 3 17->36         started        process5 dnsIp6 86 79.134.225.72, 1990, 49744, 49753 FINK-TELECOM-SERVICESCH Switzerland 19->86 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->76 dropped 78 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->78 dropped 80 C:\Users\user\AppData\Local\...\tmpD525.tmp, XML 19->80 dropped 82 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->82 dropped 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->96 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 item_sheet_728_2020_PDF.exe 26->42         started        84 C:\Users\...\item_sheet_728_2020_PDF.exe.log, ASCII 28->84 dropped 45 dhcpmon.exe 30->45         started        47 dhcpmon.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        108 Maps a DLL or memory area into another process 42->108 53 item_sheet_728_2020_PDF.exe 42->53         started        55 item_sheet_728_2020_PDF.exe 42->55         started        57 dhcpmon.exe 45->57         started        59 dhcpmon.exe 45->59         started        61 dhcpmon.exe 47->61         started        process11 process12 63 item_sheet_728_2020_PDF.exe 53->63         started        66 dhcpmon.exe 57->66         started        signatures13 110 Maps a DLL or memory area into another process 63->110 68 item_sheet_728_2020_PDF.exe 63->68         started        70 item_sheet_728_2020_PDF.exe 63->70         started        72 dhcpmon.exe 66->72         started        74 dhcpmon.exe 66->74         started        process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 01:46:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=je3poa6dozwvs2bjpq7gql6fx2fdv5m7uzkxkavv4knppjhyzesq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
175bdb11453e65abc7c2d64a37b69d0bea771353c4eefbaa0d3ffb649292e2fc
NanoCore
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
3bcbadf163bd228438e9094d4be5b79639e501e55bcff4c879ec8fe4ccb71703
NanoCore
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
4ffdfd5cf9dc5f01ef37c75d1ca13d8e59afe458c0a9f7db7b6e8954d8eb6fdb
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
8359e964cc6f542d0b069ece3e6529726d432b4946e054ac3b1c1bedcef2f7d8
NanoCore
be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1
NanoCore
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NanoCore
da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963
NanoCore
+ 2'994 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200729-k1pxt8m9zs/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
:1990
79.134.225.72:1990
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 7f6c4bd3d08ae6336af2e59ad2d584fb2cf8c392dc6caa23f3bb9cdfd1dd43fc

NanoCore

Executable exe 4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925

(this sample)

  
Dropped by
MD5 5d0480d8a00e76c269d0707aa3e54c36
  
Dropped by
SHA256 7f6c4bd3d08ae6336af2e59ad2d584fb2cf8c392dc6caa23f3bb9cdfd1dd43fc
  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34123/

Comments