MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
SHA3-384 hash:	f74dee0f138b37159b215cebf26258875e28e610b812ae0914c21aecca934a6e037cc9d9a497c052f6edf0ace9cc6f9f
SHA1 hash:	ba03bbac64d96bfbd3067803a8b08466b8fb0d3a
MD5 hash:	dbffb4682e330d635295ccdd92fe99c4
humanhash:	burger-edward-speaker-nitrogen
File name:	QUOTATION.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	707'584 bytes
First seen:	2022-05-11 15:27:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:QF/3DpQp9V5XXkkXIqvCQOeZ/xWzWsCXQhpKn+nj4/sHtNdC8Sgp:QF/3DG/YkvvWeZ/xWzWsQQhsnCOcdv
Threatray	6'474 similar samples on MalwareBazaar
TLSH	T187E4011CBAF7DA22D16E2B3990F280945771BE89A033D31E35DC134E9F16B9349467A3
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0d2e25945ba9cf0 (15 x AgentTesla, 9 x Formbook, 7 x Loki)
Reporter	cocaman
Tags:	exe NanoCore QUOTATION

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269719/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/627bd6174b517e213c2b6fbf/reports/44dffb0e-b660-4129-bad1-93291a7ed5a8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be4a5252-678f-4160-9d39-d533652fe6be

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/992022

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2022-05-11 15:28:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aeof6mcyklvi56bke25obv5w6wp5od2ddoi63ms56bughyaadpaa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e

NanoCore

45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b

NanoCore

7709c1a46eff201524b42caaecba9ce963f7580e77d7b9c32059aaf3acfb248a

NanoCore

862965d573744607a29489905cfc8abdd8f187874d476ef4263eee7e5175630a

NanoCore

8bf0518cd0c607aa51073dfe422f6af43ab8b43523bd0c182cc6172c9ecb9072

NanoCore

ddb292ac2c57e10703a5358532be2d46e4d5ea94361fd30be3c1e2bfb919621f

NanoCore

+ 6'464 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer suricata trojan

Link:

https://tria.ge/reports/220511-swbdksebem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

deranano2.ddns.net:1187
194.31.178:1187

Unpacked files

SH256 hash:

c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9

MD5 hash:

6c9e813248a01432890c476813d210b8

SHA1 hash:

fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8

Link:

https://www.unpac.me/results/e2e0636c-3bf5-4875-bda8-a0e1e9cd7ee6/

SH256 hash:

87b665a52d54bfbeaae649462b9f7b9530b8de7360a446ed107199e0204d1021

MD5 hash:

f921708df76832e657ea9d88aed8c0f5

SHA1 hash:

d83242372dca70f28a11e927fa2edc9c47432b03

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/e2e0636c-3bf5-4875-bda8-a0e1e9cd7ee6/

Parent samples :

5075d545fc8187f1e69717af644effc6ecbf79babf598e14e01fe70846e9ec6e
a46cede541f8b2f594b78a0479df22aceaf2a3970e254d49db9516242bc088ec
2839c32588132ccc1bfa64810b81a1728a84bd17b4cc47d5223e540433c225fe
ddb292ac2c57e10703a5358532be2d46e4d5ea94361fd30be3c1e2bfb919621f
b9d9fc33dc623971bbbf29c9ba63b81e71177163aa404366622fd3f083b89136
25d7fa2bfc89484d806bae297d6b5b81ff2de51f93d414c5ba9b86c0dff1a513
46864364581f4a18b628a1b68bfe231d72f4f871eaa712c1c3150cb01c65e6bc
c2f156ddeef8be85d38f8483656d9d657bf8f147657dfbb18b84a235c2bcada2
011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
dd810d37c396be1e34d2fe8b76c5ff30c17b6bb64afcc1c682182fb6934a3f60
6035a6b2488b6c073d4b1cda9c9879e207b73e94c3551624667e59cc8719dd01
cc1b297e38dc99d95d931c99c51582a6be2c7e713e9c4cfb3ad28476c3b685a8
b9066fabc2944828b98d6f22985038c59a5f6cfb1ae09b2f6b5c89bf87a43c44

SH256 hash:

4fee4d2ff82add625ab84d14c07eaac135a9ee86cc93e62be10e0480e80ba11f

MD5 hash:

54efa1d7fec309f3b8111f7b114bb75b

SHA1 hash:

7611f6e53f45618a418d7e643d48bb637f2a3323

Link:

https://www.unpac.me/results/e2e0636c-3bf5-4875-bda8-a0e1e9cd7ee6/

SH256 hash:

be49b0cd65609a89b2f37c57a76a0db69c1077cc45460c17113243bf76ebfe78

MD5 hash:

960d99abf2a92ea3e11cacbb6ca3273b

SHA1 hash:

07a2877710733689f90e06510a9cec22aa4141a1

Link:

https://www.unpac.me/results/e2e0636c-3bf5-4875-bda8-a0e1e9cd7ee6/

SH256 hash:

011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0

MD5 hash:

dbffb4682e330d635295ccdd92fe99c4

SHA1 hash:

ba03bbac64d96bfbd3067803a8b08466b8fb0d3a

Link:

https://www.unpac.me/results/e2e0636c-3bf5-4875-bda8-a0e1e9cd7ee6/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/011c5f305852/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.