MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23005e23c85ef953237d9107f4542a08afc83f4d921191b78cc983f7aebfea21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23005e23c85ef953237d9107f4542a08afc83f4d921191b78cc983f7aebfea21
SHA3-384 hash: 8ff657835a9f3caf943e3b52e6629d62a773b424ec8dc9c8a900bfbf91ea6e84be6b0066d58ce121304d152a4a45f947
SHA1 hash: f355283de158beefa00973c23b6f56d79e09696e
MD5 hash: 27b836d8ffb8c25b6d9d57cc32dbb3c8
humanhash: illinois-florida-pizza-venus
File name:Current order.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'151'718 bytes
First seen:2020-07-13 11:51:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:6NA3R5drXdtQoT2tULolkQdNK7P+eoJEyx/eqgeyJf1hlIXyCazFQYcaMnY6de:z5bQoStLlkEwPQEyx/mEyZ66wE
Threatray 1'318 similar samples on MalwareBazaar
TLSH E4351251B6E284B3D5B61936092AFB51AE7C79700F3CDA1F63D45D6D8A32080E238B73
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2:
innocentbooii.hopto.org:55420 (197.210.84.94)

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25281/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Forced system process termination
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
DNS request
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/23005e23c85ef953237d9107f4542a08afc83f4d921191b78cc983f7aebfea21/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 11:53:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emaf4i6il34vgi35sed7ivbkbcx4qp2nsiizdn4mzgb7plv75iqq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
01d06f60795cc63acabaa25c87909e436a7160a172e59c22f341ebad725998b2
NanoCore
251c55b7c7c02eec9a87eca94bb01f653317ef5d8278aeb2b511194d7057a675
NanoCore
4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
NanoCore
61f312d2472d658a6570f3e96fc4543309a304d9415e86b1c9306f2baacc9563
NanoCore
7943dd3d1f4215ee40123ab13edc945dccd0ff9d3e9cddf372ff8ecbffe62635
NanoCore
87ee5e680c1334c8945b1448819310331304593ad7b4356807bed6d857060226
NanoCore
8d3c18b852f38c03b74ec7de7771a9f93e6f5e3aa44d3863567d984fed0c6d88
NanoCore
9e1de81ecb080a9d970953a62de72b6a83cc61776409098f1429c11032cbfa14
NanoCore
a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8
NanoCore
d35f40a630b2e4b24ec76c354e1e66d927afe339aaba45ff3c750ed52193c910
NanoCore
+ 1'308 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion persistence keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/200713-5bk1p14nmj/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Disables Task Manager via registry modification
NanoCore
Malware Config
C2 Extraction:
innocentbooii.hopto.org:55420
185.244.30.33:55420
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 23005e23c85ef953237d9107f4542a08afc83f4d921191b78cc983f7aebfea21

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25281/

Comments