MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 13 File information Comments

SHA256 hash:	1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492
SHA3-384 hash:	b4385366a47d3b4e7e00712ce56dc07352ade05202714cb215508fa994acdc07434d77bb158212bb218b942235fe3b83
SHA1 hash:	a60fa7200552f46dc19e3f756a1f40b14f3a93be
MD5 hash:	5df8c79d010a75696cd308ee58ceb98b
humanhash:	ceiling-lion-pennsylvania-burger
File name:	1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'948'721 bytes
First seen:	2020-11-07 17:25:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	710b4c559675f6d65697110d8f6c48dd (4 x NanoCore, 1 x njrat)
ssdeep	24576:eAy22k19sIE2zf4C+j9M8wVE750VgPa70uZCPHQxgjbkQzEf4ak1swtl7r:ex2719HDzfSjO80k5029RH6KtEAx1sC
TLSH	9795BFD570A094AAE99B1CF1AD5EE53030E63A9C90E8920D79E7770D46E3382205FF5F
Reporter	seifreed
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Delayed reading of the file

Creating a file in the %temp% subdirectories

Creating a file in the Program Files subdirectories

Creating a file in the %AppData% directory

Deleting a recently created file

Creating a process from a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492/

Threat name:

Win32.Backdoor.Proyecto

Status:

Malicious

First seen:

2020-11-07 17:33:29 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=czm6si6klupcq3ynnrrevo36th3v7ixdmtki46l5tacr7372msja._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/201108-3mnepvtchx/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492

MD5 hash:

5df8c79d010a75696cd308ee58ceb98b

SHA1 hash:

a60fa7200552f46dc19e3f756a1f40b14f3a93be

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

fb9ca2eed9e131f3bd56c84df4a18a91f37068b8c5c84176031640122021c088

MD5 hash:

29e4328b87f7294887a524c53a54a8b2

SHA1 hash:

4825ca5a83237e531488ad4afe1037630d364092

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

903a89ad4c38b2a4ca5c489fbf0850e04660b384129443f46afa574528b45a6f

MD5 hash:

dac53124b6e12d6ec36af0b834cc41c0

SHA1 hash:

016607f9874106b1d2072b1128dce4226da53ee9

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

a5006a21648360966ba3bad195a5f2ee6115beba77ce5c21e810396f90738200

MD5 hash:

b14a10760e7aa19b66caadeb5fa96b83

SHA1 hash:

bdf4781630408c37b199908baa17ed4b9fe8e29b

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

15fd6c2d1b473d9df424ff4fb56bca79427df56b2faa866eeb112c59e4d57536

MD5 hash:

a6c3a4baa7805fecd70e4c44266747e8

SHA1 hash:

e4d6db7562d2291c9505fe735562e0cffae5f16d

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

a1904d6294a6cfa5ebd6112c6f0688417d7912ef46180e901010cd6b39a5ddd6

MD5 hash:

237fd64624930c83c3dd2155984840a7

SHA1 hash:

5493f4ed3554cca89c7eaf5b1058f99c6248347e

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

2de128fee375f729e6c7a81f640af5f7bc5697f7b56f806a2b441526753c2ace

MD5 hash:

08b7153152142acb4579fdef7e580890

SHA1 hash:

8adb5a854b0878cc28b39dcb8f3ee4ef1d41a697

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

3d473f46d7e52a1e688ad211186e63a3c95235a65a262f014e030af0e8a93ef4

MD5 hash:

dc150858e0d4a2d965a3702a815f92de

SHA1 hash:

9961dc2b6e2ea0b23a4c6f4f9a5023ca7c3196ba

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

SH256 hash:

b66ff68d36035f8fc588baca38514175d3d2b124df48e15ac7016983065e0480

MD5 hash:

026143c034261d754539e3d84f89bb6c

SHA1 hash:

afe97d20215431a7af7fe1f3617e77541a15e332

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/98eee4e7-de43-426f-9a87-866ece6e849e/

Parent samples :

c07b839b06e6a47b60088316a48acfc38f0a305d2d56377a4dce1d8065c481b8
1659e923ca5d1e286f0d6c624abb7e99f75fa2e364d48e797d98051feffa6492
1d544377caff885efdc6f149a99a0ae48d03cad19f3b7eb040ec6a90058556bd

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Embedded_PE Create hunting rule

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample