MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a19a144807268d406c6da55513ae24493b2d411ba8e2a2e15567d66e55d976b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 11 File information Comments

SHA256 hash: 6a19a144807268d406c6da55513ae24493b2d411ba8e2a2e15567d66e55d976b
SHA3-384 hash: b249115620f13b02dab9f4c8c37a565a4bc623c0f6a4259dffdae3bd8414ba83f963b91771be77bc4880be0102263cc4
SHA1 hash: 0ac9e261eafc36f2d8a7bda5755b44c9d8c883e9
MD5 hash: b462382cb954466386f9334247e0a34c
humanhash: table-mango-steak-burger
File name:b462382cb954466386f9334247e0a34c.exe
Download: download sample
Signature NanoCore
File size:31'232 bytes
First seen:2021-09-27 18:17:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (23'043 x AgentTesla, 5'566 x Formbook, 3'013 x Loki)
ssdeep 768:X1S7dO4lGn8pAw5sY0EIWCqgFDlZ8Lq7d:X1YbEnDwOEnCqMZF7d
Threatray 3'020 similar samples on MalwareBazaar
TLSH T1C6E24A043648CB7BD66D233E8A97044053FED7632633C61FAFCC65E958E27490F55AA1
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
NanoCore C2:
194.147.140.25:6746

Intelligence


File Origin
# of uploads :
1
# of downloads :
200
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
b462382cb954466386f9334247e0a34c.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 18:20:41 UTC
Tags:
trojan nanocore rat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autostart registry keys with suspicious names
Detected Nanocore Rat
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Nanocore RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491708 Sample: s9SWgUgyO5.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 9 other signatures 2->81 7 s9SWgUgyO5.exe 18 6 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 67 cdn.discordapp.com 162.159.133.233, 443, 49736, 49742 CLOUDFLARENETUS United States 7->67 69 192.168.2.1 unknown unknown 7->69 61 C:\Users\Public\Documents\...\svchost.exe, PE32 7->61 dropped 63 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 7->63 dropped 85 Creates autostart registry keys with suspicious names 7->85 87 Adds a directory exclusion to Windows Defender 7->87 89 Hides threads from debuggers 7->89 91 Drops PE files with benign system names 7->91 18 s9SWgUgyO5.exe 7->18         started        23 WerFault.exe 7->23         started        25 powershell.exe 25 7->25         started        31 2 other processes 7->31 93 System process connects to network (likely due to code injection or exploit) 12->93 95 Multi AV Scanner detection for dropped file 12->95 97 Machine Learning detection for dropped file 12->97 27 powershell.exe 12->27         started        29 powershell.exe 12->29         started        33 2 other processes 12->33 71 162.159.130.233, 443, 49748 CLOUDFLARENETUS United States 14->71 35 4 other processes 14->35 73 127.0.0.1 unknown unknown 16->73 99 Changes security center settings (notifications, updates, antivirus, firewall) 16->99 37 4 other processes 16->37 file5 signatures6 process7 dnsIp8 65 friomo.duckdns.org 194.147.140.25, 49741, 49746, 49750 PTPEU unknown 18->65 57 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->57 dropped 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->83 59 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->59 dropped 39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        55 2 other processes 35->55 53 conhost.exe 37->53         started        file9 signatures10 process11
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Status:
Malicious
First seen:
2021-09-24 01:35:00 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
NanoCore
Windows security bypass
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
friomo.duckdns.org:6746
Unpacked files
SH256 hash:
6a19a144807268d406c6da55513ae24493b2d411ba8e2a2e15567d66e55d976b
MD5 hash:
b462382cb954466386f9334247e0a34c
SHA1 hash:
0ac9e261eafc36f2d8a7bda5755b44c9d8c883e9
Malware family:
NanoCore
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_NanoCore
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Author:Kevin Breen <kevin@techanarchy.net>

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.147.140.25:6746 https://threatfox.abuse.ch/ioc/227219

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments