MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 962065b4491c250095c940a86b942e170e3ed612ea289a03131e1fd350fa48c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	962065b4491c250095c940a86b942e170e3ed612ea289a03131e1fd350fa48c8
SHA3-384 hash:	b314cda51b34b343f19da125b545377051173b8c9776a6651080c1c3fef8d4ecb91c2eefb6fb6438f6340fe3b89853ea
SHA1 hash:	2be9194ad0986a43330bc5eea3e44c1661eafa07
MD5 hash:	2415de95bd4a946840a47b7f4127a640
humanhash:	blossom-king-pip-venus
File name:	962065b4491c250095c940a86b942e170e3ed612ea289a03131e1fd350fa48c8
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	476'416 bytes
First seen:	2020-07-06 06:54:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	92644df84cdbba7637462c128671f148 (3 x NanoCore, 2 x AgentTesla, 1 x Loki)
ssdeep	12288:XA9aq6bQ9lOG+ImzOscUowijPprdSU8Z3jHZbz:XaaIh+pzOsti7pMU8/bz
Threatray	3'317 similar samples on MalwareBazaar
TLSH	64A41201EFF15154F1F6373659AB0AE01A7ABC56B872CE1E6620F94C2D70684ECA9723
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/20973/

Detection(s):

PUA.Win.Packer.Upx-6

Win.Dropper.Nanocore-8025730-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Connection attempt

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/962065b4491c250095c940a86b942e170e3ed612ea289a03131e1fd350fa48c8/

Threat name:

Win32.Trojan.DelfFareIt

Status:

Malicious

First seen:

2020-06-30 08:38:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=syqglncjdqsqbfojicugxfboc4hd5vqs5iujuaytdyp5guh2jdea._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

766904989084e0264f16fd4aff548ca862836d2f6a4ce72c4d0bf66ff78ec478

NanoCore

87c615982865f3989839cf3e7c4eca736f6adf61db512210919208b91661e104

NanoCore

aaa969de94835c4f59740b9bc3463693142db72d094969962d353c6466c10cd5

NanoCore

ae9c3c06ca17765d0c15b2da349d17e89d706ef428187656326cd4ad42d72115

NanoCore

bb4c95b7c979b3b470fb57f03044950d1340aa7707f5a734aa5b1d21e07c2459

NanoCore

bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea

NanoCore

db256170f60efdebefa6673fd5e985a7688c3ea5656aa827a61b9f3c600d0b00

NanoCore

f7d4fb7b8ebeee21a2beb691d9b60ff2efb2a60f27e00d929d64db8fa2687a0f

NanoCore

fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990

NanoCore

+ 3'307 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200706-kct8n777va/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20973/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample