MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b
SHA3-384 hash:	2cac96819f549ca119699864af0e9154d1e31edca8a25e0d852f466368104a6c37cfa0252308e6bf3b4afe5a81b047ca
SHA1 hash:	c9e5b8d4a1fa72d8eb95b26b5fcf30619f67e29e
MD5 hash:	ab0bc2cb02ff21dd72c76ad71978654a
humanhash:	low-louisiana-diet-don
File name:	781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'806'848 bytes
First seen:	2020-06-10 12:11:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep	49152:0C0uO1C7NpCRBqoTJw+mc3J/pw7yrerfA7Br:0ChO1WpCnqD+5/iHA7
Threatray	2'313 similar samples on MalwareBazaar
TLSH	5F859B056262C22AF0C4A2F5D613D5F3A2187FA3C6978B9761B7FF2A36351E04C271D6
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

Win.Trojan.Nanocore-5

Win.Dropper.Onlinegames-6866227-0

Win.Trojan.Binder-6

Gathering data

Threat name:

Win32.Hacktool.Binder

Status:

Malicious

First seen:

2020-05-27 12:05:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

45 of 48 (93.75%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pao6gtj6e4dkucyfxw3jmbfzkmwl3vzjp44ot4xbridegsuvrzfq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

49921e6531eac85bf200970640a074072f6071b7a18d23af56706788cd421c1c

NanoCore

52a0b32117ded008aba2f96eae8dcd1e49600fa1666ad517d03b81d71f62f8ac

NanoCore

77bcb3f1d311acfb214c527657fe74a31498e412b940da0a9933f0ad8ab3a5ff

NanoCore

a9cd75d30ef66be7f5d70754ff52882fbb390532669d60ad3ecb2df8a4f99a56

NanoCore

cbd78bfa67cd972d5c01472ce3f98e4500744c2544ca5fdddc3d9df49fbf1227

NanoCore

dc28fee9ff485f98bb7a9369a6e24ad8f1a63c123cc9c39ee676d933e1999fc6

NanoCore

f2f3fbce922931de773ca15e8486016a85595a41fec8cb94d29e7b16bdcc2bfe

NanoCore

ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643

NanoCore

ff8e7032093434b49d2b60c9e821c94a35f90fb81cc06e289ebf01ce52f5c6f2

NanoCore

+ 2'303 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-tz63baqzb6/

Behaviour

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Drops file in Program Files directory

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

exceltionguidle.ddns.net:1085
127.0.0.1:1085

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample