MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 18

Intelligence 18 IOCs YARA 12 File information Comments

SHA256 hash:	1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b
SHA3-384 hash:	582cecd137724c4c156b4c5fd41859191369ccff61f47227501867a14d6f0fa5a1857bb67188399d4e7d32432829d1fe
SHA1 hash:	97d353b8bf34c5573988b0a1deab70887e97c800
MD5 hash:	afd0e20181b8b80d5b4421900e79bc62
humanhash:	missouri-eight-pizza-michigan
File name:	afd0e20181b8b80d5b4421900e79bc62.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	384'512 bytes
First seen:	2023-03-25 04:20:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:2Mg6aDRxkdoQh5Q7dbAIXAGC04T5LUqMru/FwjAuzoRuZHM4:kAoQh54yIXAGZSirf2uZH
Threatray	676 similar samples on MalwareBazaar
TLSH	T19B84F144BBE99B15E0BFA3F95576A30443F0B82B5850E70C5ED274D628B1F908E90FA7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
3.145.201.105:3637

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

nanocore

ID:

File name:

afd0e20181b8b80d5b4421900e79bc62.exe

Verdict:

Malicious activity

Analysis date:

2023-03-25 04:21:46 UTC

Tags:

nanocore rat

Link:

https://app.any.run/tasks/03a4feec-79c3-43bf-b36b-4567a8ffda8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/377288/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

nancrat nanocore packed

Link:

https://www.filescan.io/uploads/641e76ae009023b71dc2c261/reports/38003446-3251-4884-ad27-0268aee28984/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d583dc63-844e-4a78-96aa-5224939ade9d

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1201736

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic

Uses dynamic DNS services

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2023-02-07 13:14:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmq43lsfculzqvodhrjfjozwdjuqdavnmyws7e3yi4z6tvuwe4fq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c

NanoCore

6f5e85426d9ed199da9806bfae8480e3d44d0243c9153ae5c0fa9764c3fef90a

NanoCore

711768a3eabc30ca27f3d52e8033f9705aab9f3f9e77607c5fac03d36ac30864

NanoCore

87636fc8401a4e44e3122a73d06245affbf0c5ee0fa701b68bb1e624bde562c4

NanoCore

91a207926f0e26374d6a2a711aff82aeaf9bca709ffabd8d6f5b40ad3a301723

NanoCore

cacb2f55774ab3d5f1e89e164ea67bfa9b0f612a6e64dd8b31d062bec1d12cb6

NanoCore

eb94527ba952e836d008c8aff750d72e39172a3f810eac7f00af5c613a29da20

NanoCore

+ 666 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230325-eym89sbb37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

muna001.duckdns.org:3637
melionx.duckdns.org:3637

Unpacked files

SH256 hash:

9bb239ddb2cbda33913c4033046796094305542f9866c9c6df9568949fdb0a28

MD5 hash:

09d4b4c60bfe6e6f4cc8c58346ac2690

SHA1 hash:

ffbb0d55d936558a49a0b9181b3b3310a95b6f31

Link:

https://www.unpac.me/results/81bb88c9-92e2-4046-a61e-efd66db3d4e6/

SH256 hash:

ce9a0da88dab3c2286cb7fe8da0731430c584f821a127eea914faca82e91a896

MD5 hash:

b483431de033da7e6656dc15921f0129

SHA1 hash:

e3f7342a6a27a9e66c0455208d812f79afa7d32b

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/81bb88c9-92e2-4046-a61e-efd66db3d4e6/

SH256 hash:

a440b5929848e6071f401a94fc1a040f14094bf7701b151ff409aeaa60e05f95

MD5 hash:

909be53831182d523ccea3c428d59c4f

SHA1 hash:

8f8f99a97544638bdfc02b5f8054f833f46eccaa

Link:

https://www.unpac.me/results/81bb88c9-92e2-4046-a61e-efd66db3d4e6/

SH256 hash:

1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b

MD5 hash:

afd0e20181b8b80d5b4421900e79bc62

SHA1 hash:

97d353b8bf34c5573988b0a1deab70887e97c800

Link:

https://www.unpac.me/results/81bb88c9-92e2-4046-a61e-efd66db3d4e6/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1321cdae4515/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1321cdae4515179855c33c5254bb361a690182ad662d2f93784733e9d696270b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	malware_Nanocore_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	MALWARE_Win_NanoCore Create hunting rule
Author:	ditekSHen
Description:	Detects NanoCore

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Feb18_1_RID2DF1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Nanocore_RAT_Gen_2_RID2D96 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Nanocore_d8c4e3c5 Create hunting rule
Author:	Elastic Security

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/377288/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample