MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
SHA3-384 hash: 3895816a9590e24b6a4d26b8f4c6db1db12a400f1e581b669f65ab033272159d6bdbc7e0f5d1b5fdb874dd9229e0098e
SHA1 hash: 262facdb53a1850cc5b3b5a7ef309af5729fe360
MD5 hash: 32a1284de996b04bd86f0b5859c30706
humanhash: vermont-lima-chicken-gee
File name:relief filling.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:475'136 bytes
First seen:2020-07-29 12:41:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:z36f14wQnJQuhHaE7Gf0DvrZyzhwn+IQ9xxs/hM4Uhc7HQpk2:7CdSJQuhHJZyzhm+IQFsrUhSH
Threatray 1'277 similar samples on MalwareBazaar
TLSH ECA449125A3C8AE3F5DDBDF889AA5B1807604C868D73B349C21F74E4ECB7183C51A9D6
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34886/
Detection(s):
Win.Malware.Score-7597125-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402551
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253641 Sample: relief filling.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 77 salespaul.hopto.org 2->77 79 g.msn.com 2->79 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Sigma detected: Scheduled temp file as task from temp location 2->89 91 7 other signatures 2->91 14 relief filling.exe 3 2->14         started        18 RegAsm.exe 2 2->18         started        signatures3 process4 file5 73 C:\Users\user\AppData\Roaming73one, PE32 14->73 dropped 75 C:\Users\user\...75one:Zone.Identifier, ASCII 14->75 dropped 107 Maps a DLL or memory area into another process 14->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->109 20 relief filling.exe 14->20         started        23 RegAsm.exe 11 14->23         started        27 conhost.exe 18->27         started        signatures6 process7 dnsIp8 93 Maps a DLL or memory area into another process 20->93 29 relief filling.exe 20->29         started        32 RegAsm.exe 2 20->32         started        81 salespaul.hopto.org 185.165.153.26, 49741, 49765, 9036 DAVID_CRAIGGG Netherlands 23->81 69 C:\Users\user\AppData\Roaming\...\run.dat, data 23->69 dropped 71 C:\Users\user\AppData\Local\...\tmpE35A.tmp, XML 23->71 dropped 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->95 34 schtasks.exe 1 23->34         started        file9 signatures10 process11 signatures12 105 Maps a DLL or memory area into another process 29->105 36 relief filling.exe 29->36         started        39 RegAsm.exe 2 29->39         started        41 conhost.exe 34->41         started        process13 signatures14 97 Maps a DLL or memory area into another process 36->97 43 relief filling.exe 36->43         started        46 RegAsm.exe 36->46         started        process15 signatures16 103 Maps a DLL or memory area into another process 43->103 48 relief filling.exe 43->48         started        51 RegAsm.exe 43->51         started        process17 signatures18 83 Maps a DLL or memory area into another process 48->83 53 relief filling.exe 48->53         started        56 RegAsm.exe 48->56         started        process19 signatures20 99 Maps a DLL or memory area into another process 53->99 58 relief filling.exe 53->58         started        61 RegAsm.exe 53->61         started        process21 signatures22 101 Maps a DLL or memory area into another process 58->101 63 RegAsm.exe 58->63         started        65 RegAsm.exe 58->65         started        67 RegAsm.exe 58->67         started        process23
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 12:43:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ae7cr6zdnmdu7lta2mssyybjesuinlkmgejrbw5rt6c3uhc6eqsq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b
NanoCore
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
NanoCore
75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
NanoCore
7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da
NanoCore
c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0
NanoCore
e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
NanoCore
f86a114e73dd0f15bc888e3db1477aa4c92d333bb236c4d3d1f49e72858bb80d
NanoCore
+ 1'267 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200729-m9fw7a5wj6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
salespaul.hopto.org:9036
salespaul.ddns.net:9036
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 5fc5ca223e071b86702a8d1c7d263218f84b325cac58dcebe45e693b971be8eb

NanoCore

Executable exe 013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5fc5ca223e071b86702a8d1c7d263218f84b325cac58dcebe45e693b971be8eb
Cape
Cape
https://www.capesandbox.com/analysis/34886/

Comments