MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b
SHA3-384 hash: c308d023e0147107fa1fae7ad8b23a685eb1aa6c1fdb2befaed46af156a3752baab7ff83e25a843c8090e855a2f1f396
SHA1 hash: 978c2d5db58a2b381fbaddeaa52f2491395bade6
MD5 hash: 00ea7406a05198c3a07bc580b96243c8
humanhash: solar-twenty-august-montana
File name:Shipping_Details.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:872'960 bytes
First seen:2020-12-02 08:27:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:qzXzOSQhkkFi5lKXoCFKL6WZQWDIhZlSg:rSgFFiLK4CFxWZbsZ
Threatray 1'387 similar samples on MalwareBazaar
TLSH 3505027220027D95FA390E7461B22D584C24AF37AF39F14DBD80355B71B72E89EA9CE1
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT payload URL:
http://michaelcardillo.com/soundmind/fonts.exe

NanoCoreRAT C2s:
209.159.151.5:24980
67.211.209.25:54948

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106341/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.31759.21694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553326
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325760 Sample: Shipping_Details.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 13 other signatures 2->91 9 Shipping_Details.exe 15 9 2->9         started        14 Shipping_Details.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        18 dhcpmon.exe 2->18         started        process3 dnsIp4 77 michaelcardillo.com 181.214.142.116, 49709, 80 ASDETUKhttpwwwheficedcomGB Chile 9->77 79 192.168.2.1 unknown unknown 9->79 67 C:\Users\user\AppData\Roaming\TCLrmaeey.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\Temp\fonts.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\Local\...\tmpAE4F.tmp, XML 9->71 dropped 73 C:\Users\user\...\Shipping_Details.exe.log, ASCII 9->73 dropped 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->101 103 Injects a PE file into a foreign processes 9->103 20 fonts.exe 3 9->20         started        24 Shipping_Details.exe 1 18 9->24         started        27 schtasks.exe 1 9->27         started        29 dw20.exe 14->29         started        file5 signatures6 process7 dnsIp8 59 C:\Users\user\AppData\Local\...\fonts.exe, PE32 20->59 dropped 93 Machine Learning detection for dropped file 20->93 95 Writes to foreign memory regions 20->95 97 Maps a DLL or memory area into another process 20->97 31 MSBuild.exe 6 20->31         started        35 cmd.exe 1 20->35         started        75 209.159.151.5, 24980, 49710 IS-AS-1US United States 24->75 61 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->61 dropped 63 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 24->63 dropped 65 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 24->65 dropped 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->99 37 schtasks.exe 1 24->37         started        39 schtasks.exe 1 24->39         started        41 conhost.exe 27->41         started        file9 signatures10 process11 dnsIp12 81 67.211.209.25, 49712, 54948 IS-AS-1US United States 31->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 43 schtasks.exe 31->43         started        45 schtasks.exe 31->45         started        47 conhost.exe 35->47         started        49 schtasks.exe 35->49         started        51 conhost.exe 37->51         started        53 conhost.exe 39->53         started        signatures13 process14 process15 55 conhost.exe 43->55         started        57 conhost.exe 45->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 06:20:14 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5ctptp4cuxlc3a3xmjhfzubfa37bemn3z5ntk2ad3cswczolrnq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0c6ca6a60f16f6c34ffc559bfe9a291e6143a33b74f8e8ec66662b95bfe86a89
NanoCore
354d8f2552b03d6c566580d1cddd01abe71a8932952465947e4d50969f7a1cb5
NanoCore
373ff5729bbb58bba6a9426b0a35c58a921be8b76a3ccf1dd9f99f410af8dddd
NanoCore
69cbd1cde514fa34db916c79d034366b291e3ea63917b52ec76bef88060bfce0
NanoCore
ae1bb9370bff1b5634fcc9aebf4f0fd874f66e75ceba1153449fbf8459272db8
NanoCore
badf7e8ef826b51aaa028ec3a296f7b9432474d8b6377552f0dcbfd520c0df47
NanoCore
d375817a8fb5163ee8bf1ef997ca42b16c326825a728a12b13fcdb152938e360
NanoCore
f260826b576ab6e2de24d288956fc3e268d113e10b7c19b7c7ee7ba51f82fe43
NanoCore
f2cfe1f156f2ee4f47cb3d08b574d722b46918bf1daee7c37514253b9f653a61
NanoCore
ff0dbe5f85b9f46b03fbfe6feef5c0130faf814614e7280ca0d55eb23948a4eb
NanoCore
+ 1'377 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201202-326v2wdt2x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
JavaScript code in executable
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
209.159.151.5:24980
inyene.duckdns.org:24980
67.211.209.25:54948
enomfon.duckdns.org:54948
Unpacked files
SH256 hash:
074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b
MD5 hash:
00ea7406a05198c3a07bc580b96243c8
SHA1 hash:
978c2d5db58a2b381fbaddeaa52f2491395bade6
Link:
https://www.unpac.me/results/8dc84375-63a8-41da-aa5d-9227f3a1e953/
SH256 hash:
2d2a80d2859c9e4de48d28ea642f3ced2796de4e4cb911a4656b0fdfb162d9bd
MD5 hash:
1e088575d15ca122ac0e1b9310433c08
SHA1 hash:
1ca755c8cb78cb821185a6eaf6048e0e4ec1d15c
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/8dc84375-63a8-41da-aa5d-9227f3a1e953/
Parent samples :
e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
3a2278374596d368ec773c10d54ec91f69445144248769abb155de58215d8c2c
074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/8dc84375-63a8-41da-aa5d-9227f3a1e953/
SH256 hash:
eeaaa208f0c8fcf47cdfbe04eb676bc7419d3a16c35db26cbb74acbade472a08
MD5 hash:
64e0532bdcd9262407c5bd1cd690eb69
SHA1 hash:
6d8a64ddf1d0f392e248a963f9e008ec0763f26c
Link:
https://www.unpac.me/results/8dc84375-63a8-41da-aa5d-9227f3a1e953/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 074537cdfc152eb16c1bbb1272e6812837f0918dde7ad9ab401ec52b0b2e5c5b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/882057/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106341/

Comments