MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0506766c2d18902707e849e5c472be6508186d70611449e565ad152528517aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	0506766c2d18902707e849e5c472be6508186d70611449e565ad152528517aa0
SHA3-384 hash:	d27beaeaca57bfa9e075a6c73bb3b8c9f841228005dcc88eb29ae1a23c3015b59905fddbe44b33dbc235cb82e6b5f8b0
SHA1 hash:	767879444859e811d3bd1a5c601af52827023c36
MD5 hash:	40b83c91c37aa01c1d7228cdb7a5942d
humanhash:	nine-cup-steak-hawaii
File name:	SecuriteInfo.com.Trojan.PWS.Siggen2.48634.8895.17763
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	408'576 bytes
First seen:	2020-05-12 03:08:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:z0BegZFl+JfUDfzaepz8YsAdPiKD+Pn9:zqh+BYa4gYvdKxl
Threatray	1'173 similar samples on MalwareBazaar
TLSH	36949C05227D2B26E07A9BF518F0A460CBFA75277174E36D4DD624CA16E2F80CA14F7B
Reporter	SecuriteInfoCom
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.48634.8895.17763.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-11 18:55:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=audhm3bndcicob7ijhs4i4v6muebq3lqmeketzlfvukskkcrpkqa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1

NanoCore

39dc3a88f6948d7740c6260cdabb5affccf9bcf4da744c4cc44cf674950c7c49

NanoCore

523e47e96043b4e5ff372230e6fbdf6a56f6e8fcf95fcd94d4a976d95471e54c

NanoCore

52bd5d7b847a16014d4efe0fae302a258e7fdae3c3fac133af3c2fc4a82a1004

NanoCore

5c12f492a1bc370b4df06dad9f2b5bf8398dcf59e8e7448408feee88bf3c6569

NanoCore

ac55391665adbe887fc77b178dc286318f55ff10566cbc3ac2adddf460434eeb

NanoCore

b59de3e185784023c3bfa211f874ab50b74083e6d0a83174a8c42d74099429a4

NanoCore

c166a4a1899462e20516825c87f9545cdc7b24654d1f18b864da4ee641af5ace

NanoCore

e8254b66674540a3ccd19360e61beca8337a93af404f3486dca84a5bcdb3abd4

NanoCore

+ 1'163 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-3mfdqd8n5j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

deone.hopto.org:1987
easter87.duckdns.org:1987

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample