MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d51f21ff25f795d8e35ceee54a3e2e46183f46eee6ba3f9fe2cf94893ef6bc63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d51f21ff25f795d8e35ceee54a3e2e46183f46eee6ba3f9fe2cf94893ef6bc63
SHA3-384 hash: 7ecb8e1bdec3fa6788d3bf7cc59217537918dcbbd8a8801150dd498e78729e2abbba3dfa7699983206cf10ccd2190195
SHA1 hash: a0283fbef34d6f21452fbf3acf8b57839bb9af82
MD5 hash: 7d407d39196574f7baa80c9bd553f6ad
humanhash: minnesota-oscar-kitten-coffee
File name:RECEIPT.EXE
Download: download sample
Signature NanoCore
Create hunting rule
File size:608'768 bytes
First seen:2020-07-23 18:50:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:asDjUDw7Bf64wSaaSXofvR4Lfb7uykwzVzULijGaG1GGGsuGGGGGGGJGGsnNNNNG:RjvVYa5nRWfb7uykwzVc
Threatray 1'097 similar samples on MalwareBazaar
TLSH A1D48C56CBBA4AFAEB9007BCE450D10942B8A42FA3D5D3851F97FDF4B0AE5241B03D52
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31933/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/396715
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d51f21ff25f795d8e35ceee54a3e2e46183f46eee6ba3f9fe2cf94893ef6bc63/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 17:08:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2upsd7zf66k5ry2453suuproiymd6rxo425d7h7cz6kispxwxrrq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
21d61e01077c5b12aa0ad5918b74c6cafce983290adc3311c3a89d849287357d
NanoCore
415ceff1ef1fa3bfc448613f3f6cc2435051f49ed8961b1cab030d75ee8bd65f
NanoCore
945ececcb2fd0b7d3a4fd86464737752ba8c1cf215159868595bd9d167a337a2
NanoCore
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NanoCore
bc33d0face20153ffe1ebf0c3e9043894633a624d8e4214084c292e353777f46
NanoCore
cfbf8e9c3e178d14a8afa864eacdf5e9ee57c82679b08bbceb56ca418c86e908
NanoCore
cfe20c750574e668b6b88f9a0453762d5e0a82f7ba3ab879eacd85e0671035ae
NanoCore
d7269fff7321b7254a2a6ce7e6fb9b8347d73cb78597d73412b8d21344832e81
NanoCore
e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68
NanoCore
f0fa2d366b28cfa858d00232f1073be3dbea215480c630a6489b38acdbb7af83
NanoCore
+ 1'087 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200723-ppzawdvs6e/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
u852117.nvpn.to:5638
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d51f21ff25f795d8e35ceee54a3e2e46183f46eee6ba3f9fe2cf94893ef6bc63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 060879424d5c5232887919354e8ede285168c6bda0b2545970b76918d0b3f198

NanoCore

Executable exe d51f21ff25f795d8e35ceee54a3e2e46183f46eee6ba3f9fe2cf94893ef6bc63

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 060879424d5c5232887919354e8ede285168c6bda0b2545970b76918d0b3f198
Cape
Cape
https://www.capesandbox.com/analysis/31933/

Comments