MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52
SHA3-384 hash: 1c4cc209902a948d11638ae77ecbae851a21c21731c328e5594c1960f85bab1d7df76b517ca71e67c0df01d740a46b8c
SHA1 hash: dcb89c524d0d1a56f2796df55b05ef70439b9c1f
MD5 hash: 5af7af7e0713e7d6c535b0e6d190b755
humanhash: wolfram-steak-fix-vegan
File name:dcb89c524d0d1a56f2796df55b05ef70439b9c1f
Download: download sample
Signature NanoCore
Create hunting rule
File size:449'024 bytes
First seen:2021-11-16 13:59:06 UTC
Last seen:2021-11-16 15:32:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:pgkQ7Qr2wWEPQB+/EwurrLn2baGgAktgE/uv5ZNFCnpHIebCXFyC:+cC0QyEwu/LnSbg/tgE/w+pH9eH
Threatray 3'716 similar samples on MalwareBazaar
TLSH T120A4DF3036E69609C97B4F321CB990C057B67AA77F00D66F3889264C9E237574B11BBB
Reporter JAMESWT_WT
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/206482/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1102.17246.29174.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6193b96643e8f62b6695674e/reports/3b997182-10ee-47f4-b6e4-e6d75f8e5f30/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/982855b6-5df7-4752-b534-177cc246cf0a
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890411
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522882 Sample: 9O4URdhvQp Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 49 sonspices.ddns.net 2->49 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 12 other signatures 2->67 8 9O4URdhvQp.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\kKUOweAHle.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\Temp\tmp9DA.tmp, XML 8->39 dropped 41 C:\Users\user\AppData\...\9O4URdhvQp.exe.log, ASCII 8->41 dropped 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 8->71 73 Adds a directory exclusion to Windows Defender 8->73 14 9O4URdhvQp.exe 8->14         started        19 powershell.exe 24 8->19         started        21 powershell.exe 25 8->21         started        27 2 other processes 8->27 75 Injects a PE file into a foreign processes 12->75 23 schtasks.exe 12->23         started        25 dhcpmon.exe 12->25         started        signatures6 process7 dnsIp8 51 sonspices.ddns.net 185.140.53.9, 49755, 49757, 49765 DAVID_CRAIGGG Sweden 14->51 53 127.0.0.1 unknown unknown 14->53 55 192.168.2.1 unknown unknown 14->55 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\Roaming\...\run.dat, data 14->45 dropped 47 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->47 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->57 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        file9 59 Uses dynamic DNS services 51->59 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 13:58:41 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayqzv7ncfazacxz6zcuhesbt3thf7er2so3itxkyud32h3fflvja._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
NanoCore
23c992572207103a5fb54631a8dedf4206450604880d02bc046f353721805cc2
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
d7cc44c8311a1e7001ca0e85434b068c4421ac3d9f79d080b11548f3eb584c90
NanoCore
+ 3'706 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211116-razzdabahj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
sonspices.ddns.net:8282
127.0.0.1:8282
Unpacked files
SH256 hash:
9e6462f3699323e5632b26569c6e982c4a446b5676d7995b69bdd4fa0885402c
MD5 hash:
5e8799341971b74b9aa38e1c47634a65
SHA1 hash:
d1d7d3521605547feb762ab02d8f36d76f2df7ba
Link:
https://www.unpac.me/results/024888bc-35bf-48bb-9807-5b5fb2f85f0e/
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/024888bc-35bf-48bb-9807-5b5fb2f85f0e/
SH256 hash:
0ed39e7e71c06d20f157a4fe7b15e7e73cdc1773cc1365f17122be9e0d9a9be1
MD5 hash:
9ae0b29417560a1342a74705eda554f2
SHA1 hash:
4965c37c2fdc62908dbef62668af4624c3a81e6a
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/024888bc-35bf-48bb-9807-5b5fb2f85f0e/
Parent samples :
77cbefb12f096f37e67a76b5aab9719ccd4a7b7121c5435785fd030d36223567
06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52
SH256 hash:
06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52
MD5 hash:
5af7af7e0713e7d6c535b0e6d190b755
SHA1 hash:
dcb89c524d0d1a56f2796df55b05ef70439b9c1f
Link:
https://www.unpac.me/results/024888bc-35bf-48bb-9807-5b5fb2f85f0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06219afda22832015f3ec8a8724833dcce5f923a93b689dd58a0f7a3eca55d52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206482/

Comments