MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f
SHA3-384 hash: f6c25e7944a5c531016b3dfd4ba15532c7bfbb9345c89a68181ad6dfae7bc908ed5515ef661612f710aea6a9d0b15f2a
SHA1 hash: 318e24fc1a8fce5a658071266b3809a5d182f62b
MD5 hash: afd318f2320dcd2d2f1bb242adf2de52
humanhash: sodium-jupiter-pluto-kilo
File name:afd318f2320dcd2d2f1bb242adf2de52.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:499'712 bytes
First seen:2020-12-15 17:39:43 UTC
Last seen:2020-12-15 19:32:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1LMNzUBQ8Lapp1tLgDVMbMOXFVZ0VscQqpiN0cL:ON38La5IVmnXPZ0V4qpxcL
Threatray 1'395 similar samples on MalwareBazaar
TLSH 42B4E1322644B772E6BD4FF0D12125441F746F275221E68EAC8111DE26FF730AEA5EA3
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW_QUOTATION_mp20201126_Quotation_20P6200829_sup_mpjxPriceInquiry_1606406420424.doc
Verdict:
Malicious activity
Analysis date:
2020-12-15 07:23:05 UTC
Tags:
ole-embedded exploit CVE-2017-11882 trojan nanocore rat
Link:
https://app.any.run/tasks/8627d0f9-a68e-4580-a02c-fb8dfd06ff69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108212/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.1769.19286.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/563591
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330881 Sample: e8581Z9tBx.exe Startdate: 15/12/2020 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 10 other signatures 2->61 8 e8581Z9tBx.exe 6 2->8         started        12 e8581Z9tBx.exe 4 2->12         started        14 dhcpmon.exe 2 2->14         started        16 dhcpmon.exe 3 2->16         started        process3 file4 47 C:\Users\user\AppData\Roaming\ZWtftCtmw.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmpD067.tmp, XML 8->49 dropped 51 C:\Users\user\AppData\...\e8581Z9tBx.exe.log, ASCII 8->51 dropped 65 Injects a PE file into a foreign processes 8->65 18 e8581Z9tBx.exe 1 12 8->18         started        23 schtasks.exe 1 8->23         started        25 schtasks.exe 12->25         started        27 e8581Z9tBx.exe 12->27         started        signatures5 process6 dnsIp7 53 185.140.53.211, 4488, 49726, 49729 DAVID_CRAIGGG Sweden 18->53 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 45 C:\Users\user\AppData\Roaming\...\run.dat, data 18->45 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file8 signatures9 process10 process11 39 conhost.exe 29->39         started        41 conhost.exe 31->41         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 17:47:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cozyuo5gsj5jegvrtwnqrqhy6pqoqh4gosmziwoebxochb4shvxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18
NanoCore
6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
NanoCore
78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
NanoCore
7bd7382e7c7adb412c92a59fba2d12aa6dd4a6dbe50a1115df58979c7e172192
NanoCore
9279c6ca7db65d126d35f77f8dc93b46c0e6e68a5ba6da1789ae30c1959bb898
NanoCore
be240aed297970b0e97f46ce8964784645c8bfeb7b4ffc451ab7857b7df8438f
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
dc4703df57c6fd50a74396618bc4f9da307e530c8469a0418667a26d24749684
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
ef9af7994d5d9ac283134b522ae1e1680eecee19974bf717fc5cb50d69b5d371
NanoCore
+ 1'385 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201215-y5a79c9tkn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.140.53.211:4488
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/4615cb97-a66b-4839-a76b-d421d356b8b5/
SH256 hash:
fc9743ee41d4b452643de486d3e89782f64dd0bb556babb58bc61e026b840ca9
MD5 hash:
0738387df13d5494c2d03dd07c67d8bd
SHA1 hash:
420b84fe2967e5e88d0712db31fb26d0b692c6f0
Link:
https://www.unpac.me/results/4615cb97-a66b-4839-a76b-d421d356b8b5/
SH256 hash:
961d1cc8bfc921659deaff9a5c1c7a6e6b4228afa10e36f6f0c2832dae8f2cce
MD5 hash:
61440fdd9430a6de9a7196ff774e6b67
SHA1 hash:
4c06d0c9942af5246a5edc45da6a68f54041e40e
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/4615cb97-a66b-4839-a76b-d421d356b8b5/
Parent samples :
13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f
8f892e7c8862ba3a04ff8afe8603b3c0d1392d3febfb117446dcd8752504eed7
ca70cd8ae3f148808ed928635b49938b163d04eb85861d6bfd85a80527d35ce6
SH256 hash:
13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f
MD5 hash:
afd318f2320dcd2d2f1bb242adf2de52
SHA1 hash:
318e24fc1a8fce5a658071266b3809a5d182f62b
Link:
https://www.unpac.me/results/4615cb97-a66b-4839-a76b-d421d356b8b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 13b38a3ba6927a921ab19d9b08c0f8f3e0e81f8674999459c40ddc2387923d6f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/108212/
  
URLhaus
https://urlhaus.abuse.ch/url/919854/
  
Delivery method
Distributed via web download

Comments