MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4bf1d1294fcdebf960a81bc8bdf14edb488c4d844a90ab100a1d5354f8cd443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4bf1d1294fcdebf960a81bc8bdf14edb488c4d844a90ab100a1d5354f8cd443
SHA3-384 hash: d96ec8def11198c887fa6b4bbe1119041e7ce70feebf0b08e1acc6ca284cfeae5f6de5b04b7fe1551207f454dfe19750
SHA1 hash: 6f65061db7ae24eb5c7a3231e29f4142a0f69635
MD5 hash: be2c60579f55d3ac3c81b3b2a1f6a74c
humanhash: fourteen-aspen-lamp-beryllium
File name:1_Zahlung_2452_6328_5767.scr
Download: download sample
Signature NanoCore
Create hunting rule
File size:610'816 bytes
First seen:2020-04-27 23:07:44 UTC
Last seen:2020-04-27 23:16:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac92fe96e6fa9a70e92f04d7f9c0ee22 (1 x NanoCore)
ssdeep 12288:ncyBz89ugAzRbw8PdarVf9+qww1fYuFSt/dq7FHd+esTCm3:ncyBz8EgAzig0R1BwwB3FU/2FY2m
Threatray 1'071 similar samples on MalwareBazaar
TLSH 05D4231BCF8166B8E07C097704F2739AB371C5D44490FF9BAA1C9A267163B55B7A081B
Reporter c_APT_ure
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.AsprotectSke-6
Create hunting rule

PUA.Win.Packer.AsprotectSke-1
Create hunting rule

PUA.Win.Packer.AsprotectSke-4
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.AsprotectSke-5
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-01-17 09:13:09 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b
NanoCore
2fdb85c7a0a29e78f22e3b994c5835178f6b54162f4d72a224d9ac9d40c3b60f
NanoCore
38bf20255640821b131eaa9c22c16a6e55e61e18a6cd4e248aa07b919847d626
NanoCore
3e8fda53d335f929c539e5fbc47a79e166ecbfda4752c50544c429a199056c62
NanoCore
5700445a825b5aff980c5e25874d60fd3c1d6fa7f01e74e20411a63e8915c8b8
NanoCore
612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b82f7a17d6e547b1b138
NanoCore
87c615982865f3989839cf3e7c4eca736f6adf61db512210919208b91661e104
NanoCore
bd21ef2fd03f08e64b61b4048bdcfdcbd7c61c869f32c5ea114d75afcbd94cc9
NanoCore
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
NanoCore
d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256
NanoCore
+ 1'061 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments