MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2
SHA3-384 hash: abe72f62b5fc1a525e6c9b8c23fb806073ed22887015e36d4df0451ab9bb0fa148945259f21553f9a0f56a77d182ac8f
SHA1 hash: f89cce15f936259038ca8b2290575299c7f0711f
MD5 hash: 4312108e11ebf751d788718f56696497
humanhash: twenty-utah-mirror-twenty
File name:Invoice NeededPDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:603'832 bytes
First seen:2021-06-22 12:56:16 UTC
Last seen:2021-06-22 13:36:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:q8yoKU+QvVIe/iJjFc+/mEf02+AYNiWJk3:q8yoKn4wvc+M2+pk3
Threatray 113 similar samples on MalwareBazaar
TLSH 61D40166F622A3B0C5038DFED595F0451BB21F9AD773AF1A7388330A8CB67974632461
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
23.94.82.41:11940

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.94.82.41:11940 https://threatfox.abuse.ch/ioc/139888/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice NeededPDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-22 12:59:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88360896-98bc-4ed0-9865-c232c6a72410

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167557/
Detection(s):
SecuriteInfo.com.Variant.Bulz.523164.8425.10406.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d9ab70f-71f7-463b-8e01-de1be3a0280d
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805950
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 12:57:09 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgjtg4cy3tcxxmcfc53owi5odoy7y4mz6oip3n4n3n2tjaxco3ra._file
Verdict:
suspicious
Similar samples:
25565e82a4ff19e43439a8188345ec8ad8d3538529dec10764c9ffba163ceb6c
NanoCore
4b9802e46fc0efd83d5e603b47743543987c12d543b4a75b67d6b873e889eb34
NanoCore
4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4
NanoCore
52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a
NanoCore
746b6f97ac17b501a455bb1570a10515bf83db24890f39e02b2c2e0b09bf7f0d
NanoCore
a59693f90c55791c544845b00cd4a8e6333d83cc83c8d8be42a7b028af4098e0
NanoCore
bc57e420dec21d7e6a08748c9a531cbdbddf2251e656492521a4f16b692c23f5
NanoCore
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
NanoCore
db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874
NanoCore
e89ac7128c7460388550f814595e09ab596db0f6f6c0588eb6efdac0e3302637
NanoCore
+ 103 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210622-4snwd66g7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
sys2021.linkpc.net:11940
191.96.25.26:11940
Unpacked files
SH256 hash:
cc8e668380a26fe9881fb6b652c47866fa1076d7b90af256685420baea592c50
MD5 hash:
89e63ea8b6c26ef2bf27563b383a038b
SHA1 hash:
39bc36c4df1ba492019ae59eae06020a736d92b0
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/b97ec248-0d04-4940-964c-d5b7ffe4d817/
SH256 hash:
4afed05191ab24f36c33569fe9d780206aff452d62a72b4b35292daa20c7a2cf
MD5 hash:
acb49235122cd040ab1c3b1ed5dd4b7f
SHA1 hash:
9007d0b6bab90c953658fbdc31a727637a219ce5
Link:
https://www.unpac.me/results/b97ec248-0d04-4940-964c-d5b7ffe4d817/
SH256 hash:
e82180518ec9404c7a62f082eab1ae0d7a4706ad5ff02b4dd2b241cf6c07c535
MD5 hash:
9d8cb14214bc44f63edaf2b4d132861f
SHA1 hash:
7d568d98c37887bf71978faba1ea84ce89995d40
Link:
https://www.unpac.me/results/b97ec248-0d04-4940-964c-d5b7ffe4d817/
SH256 hash:
0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2
MD5 hash:
4312108e11ebf751d788718f56696497
SHA1 hash:
f89cce15f936259038ca8b2290575299c7f0711f
Link:
https://www.unpac.me/results/b97ec248-0d04-4940-964c-d5b7ffe4d817/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167557/

Comments