MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8
SHA3-384 hash:	9692c7446960a69ca4eaee5adc6250a243e06a1ea34587a7a4edbcc2290bbb82266d69f30f6e905395f7dc2f14331f5e
SHA1 hash:	4afc78d70066e3b15a80709f6972596f94573868
MD5 hash:	a6ae63b43136c7bfdbd1610fe8eb7195
humanhash:	romeo-asparagus-fillet-network
File name:	FedExs AWB#5305323204643.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	828'416 bytes
First seen:	2020-12-22 17:54:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:tMDonzKs5jPl66Iht2JlPpDKr4OSWglrwVw39F6f7oZW06D7eWiKsZWS7sWf8V:tMOzwwIk2glUVm8fcEDD7eWiF5sWEV
Threatray	1'638 similar samples on MalwareBazaar
TLSH	B4059E3439EA6719F13BAF7557D074829BEFFA233F03D55D289102861622E81CEA153B
Reporter	James_inthe_box
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedExs AWB#5305323204643.exe

Verdict:

Malicious activity

Analysis date:

2020-12-22 17:56:53 UTC

Tags:

rat nanocore

Link:

https://app.any.run/tasks/48f2fc82-1439-4ae9-a999-6a2e296514b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/108960/

Detection(s):

SecuriteInfo.com.Backdoor.MSIL.REMCOS.SM.8424.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Connection attempt

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/568697

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Detected Nanocore Rat

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-12-22 17:54:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a5bydwif4ovoydsmjo44fz55epngtbwrzo7isxerqv5g2noeupea._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

0d23d50f25bc53d65f18b1d1ed302ef80baa0ad2723e1519f754303c9829a108

NanoCore

2806c2d9436aebf20ce36487ed517b67fe2899db2b0f8947096b23f343b5ac23

NanoCore

42ed72b284dd390611cdc6b88aab94d9afa0b48d12037aa3edc64aeede11499c

NanoCore

5f7a6ab99e2c38a8093873b93853316b31cc15319a17af6d11f50511c4ad8456

NanoCore

6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276

NanoCore

7edb6382eaeded52c1341cec1508c797a7d7146d19e508c9713a4266ac823c8a

NanoCore

814eaf5f7ac92cfed0226402ff7075efe5c0d81e7b555d01376db3e62e34595c

NanoCore

a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db

NanoCore

b15a2d93ad39a55b90248ef52e7543bfc3268af18225342a67f45061183c13aa

NanoCore

+ 1'628 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201222-2wnw4svsae/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

185.157.160.233:54984
annapro.linkpc.net:54984

Unpacked files

SH256 hash:

f707127bc020c8478380475acecdc0f7a9c8e982ccea6e16ed1b331f55c03e25

MD5 hash:

4179258d7fe9aba67af44e6f2bc9ae72

SHA1 hash:

06e8362195d0a0cf28697dce5ac05d6bc9692e0e

Link:

https://www.unpac.me/results/f6f3bff6-8487-4c42-993a-3ab6e0263789/

SH256 hash:

89de94ffaedf0023d21c6327d0da03336bccea92f40b5e8f49826698d5eb9421

MD5 hash:

4ff3a8f84a173aa34ca00b095b6ec700

SHA1 hash:

5035ed6be06d07c95bfc359e05372d0d1fff6aab

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/f6f3bff6-8487-4c42-993a-3ab6e0263789/

Parent samples :

ea35c04468d68c2fde827d915e0ffac88a6e01249e3196148d1681c8ad91e9a9
d7a3ceba0a3f95c44f30319f5ed2bf3675f102a7777d2a2b8279608b2c58b6f2
074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8
0b45301c562af6da8c63164d1f13b38a6147202d16503ae2cbe99948e842ff33
9dfd2b3aa2ccb2b72b53066d56ad77605c7e505cf69d6d886d58db67afc9b21a
a8850a204db73426d64f9cf6b238eea769978ea0ffbfe8d7343aec9b63c2e259

SH256 hash:

51b11613df0a8a93c9bf286ff3696c32f50b7763d78425815afaf1d8564fa186

MD5 hash:

6ecc999b80aac33f4255cd30134483ee

SHA1 hash:

86e68ae281efd6741d89eb30388040bb9e68034b

Link:

https://www.unpac.me/results/f6f3bff6-8487-4c42-993a-3ab6e0263789/

SH256 hash:

4f7d47f585dd3a0b71ca17bb7e420a963f875a587f3be77488ea4a5452fd95fc

MD5 hash:

14dc4dfb21f02998dbb8a5fda3a92a71

SHA1 hash:

a5b36a8c821c8a8b28ee96df66ced598be82cdad

Link:

https://www.unpac.me/results/f6f3bff6-8487-4c42-993a-3ab6e0263789/

SH256 hash:

074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8

MD5 hash:

a6ae63b43136c7bfdbd1610fe8eb7195

SHA1 hash:

4afc78d70066e3b15a80709f6972596f94573868

Link:

https://www.unpac.me/results/f6f3bff6-8487-4c42-993a-3ab6e0263789/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/074381d905e3aaec0e4c4bb9c2e7bd23da6986d1cbbe895c91857a6d35c4a3c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/108960/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample