MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b8775fa633e04edf24411129b02074e4a9b8a79c28896908ff57dafe7cde968. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 11 File information Comments

SHA256 hash: 1b8775fa633e04edf24411129b02074e4a9b8a79c28896908ff57dafe7cde968
SHA3-384 hash: bde5b5e13ea78694e61ba384b4a478a32b206242636fc2538e6cb3bc7f8bd3daeb6e2c52c24da8528e80b481d40df0c8
SHA1 hash: 49d652b6e0fe6071b99fa9a7e891cc5187ebc4db
MD5 hash: e193dff484ce89bc7ba5ae2022ab7227
humanhash: oregon-ink-jupiter-alaska
File name:G2M18C6INV0ICERECEIPT.vbs
Download: download sample
Signature NanoCore
File size:4'866 bytes
First seen:2022-01-14 12:31:49 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:8ksgukFSHAaAkaJAzAQAczA2zhDzO4RO4aO4gzO48O4jO4UO4OO4cO4BRU17:88ukFOAaArJAzAQAczA2zhDC3A/CkZ2n
Threatray 3'499 similar samples on MalwareBazaar
TLSH T1B4A19C628D4EDDCA999EDF9B823586C3E3BDF031D0A57C16638473721A9E5148C7EE40
Reporter @abuse_ch
Tags:NanoCore RAT vbs


Twitter
@abuse_ch
NanoCore C2:
185.140.53.10:9090

Intelligence


File Origin
# of uploads :
1
# of downloads :
375
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell replace.exe
Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore HTMLPhisher
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected HtmlPhish44
Yara detected Nanocore RAT
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553203 Sample: G2M18C6INV0ICERECEIPT.vbs Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 7 wscript.exe 1 2->7         started        process3 signatures4 44 VBScript performs obfuscated calls to suspicious functions 7->44 46 Wscript starts Powershell (via cmd or directly) 7->46 10 powershell.exe 14 20 7->10         started        process5 dnsIp6 28 swmen.com 107.180.25.2, 49752, 49761, 80 AS-26496-GO-DADDY-COM-LLCUS United States 10->28 30 192.168.2.1 unknown unknown 10->30 26 C:\ProgramData\...\5197349279415287975939.HTA, HTML 10->26 dropped 48 Creates an undocumented autostart registry key 10->48 50 Writes to foreign memory regions 10->50 52 Injects a PE file into a foreign processes 10->52 15 aspnet_compiler.exe 9 10->15         started        20 conhost.exe 10->20         started        22 aspnet_compiler.exe 10->22         started        file7 signatures8 process9 dnsIp10 32 testalienscy9090.duckdns.org 185.140.53.10, 49764, 49765, 49766 DAVID_CRAIGGG Sweden 15->32 24 C:\Users\user\AppData\Roaming\...\run.dat, International 15->24 dropped 34 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->34 file11 signatures12
Threat name:
Script.Trojan.Heuristic
Status:
Malicious
First seen:
2022-01-14 12:32:10 UTC
File Type:
Text (VBS)
AV detection:
2 of 43 (4.65%)
Threat level:
  2/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
testalienscy9090.duckdns.org:9090

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_NanoCore
Author:abuse.ch
Rule name:MALWARE_Win_NanoCore
Author:ditekSHen
Description:Detects NanoCore
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Author:Kevin Breen <kevin@techanarchy.net>

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.10:9090 https://threatfox.abuse.ch/ioc/295218

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments