MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
SHA3-384 hash: 4f7f6ae21c4af03f817f3dbfc36fb6858e33fda93c9fe501cd18449c55aa5b7be2fabc33e9b475822e7757ca213efbe3
SHA1 hash: 5872f91c68fc59dcc2c96f74405c57e28125dc2e
MD5 hash: 18bbaa22198d5b40af04666ab20cbcac
humanhash: golf-tango-mirror-video
File name:SecuriteInfo.com.Trojan.GenericKD.34334455.23770.3186
Download: download sample
Signature NanoCore
Create hunting rule
File size:864'768 bytes
First seen:2020-08-11 08:12:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:6VmV9rmf0YQePcON6qJpZg28SNINqCNqgGUiMfBNxva0mJNYeGxZ:6kDriPcE6qbZg2pGwaGxMLla0CGxZ
Threatray 1'281 similar samples on MalwareBazaar
TLSH B605BE60F10031D6F263C2397190EE762258AD42D9224F77F2EB6DAB7F951C61263F1A
Reporter SecuriteInfoCom
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43182/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34334455.23770.3186.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Sending a UDP request
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/418061
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 261291 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 11/08/2020 Architecture: WINDOWS Score: 100 37 vreme.ddns.net 2->37 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: NanoCore 2->51 53 6 other signatures 2->53 8 SecuriteInfo.com.Trojan.GenericKD.34334455.23770.exe 2 2->8         started        12 HJdyTuap.exe 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->29 dropped 31 SecuriteInfo.com.T...34455.23770.exe.log, ASCII 8->31 dropped 55 Drops PE files to the startup folder 8->55 57 Writes to foreign memory regions 8->57 59 Maps a DLL or memory area into another process 8->59 14 RegAsm.exe 6 8->14         started        19 RegAsm.exe 8->19         started        21 HJdyTuap.exe 12->21         started        23 RegAsm.exe 3 12->23         started        25 RegAsm.exe 12->25         started        signatures6 process7 dnsIp8 39 vreme.ddns.net 185.244.30.251, 1133, 49725, 49729 DAVID_CRAIGGG Netherlands 14->39 33 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->33 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 43 Writes to foreign memory regions 21->43 45 Maps a DLL or memory area into another process 21->45 27 RegAsm.exe 2 21->27         started        35 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 23->35 dropped file9 signatures10 process11
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 03:29:31 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
05b767928a12a7132cd04cb09e2a33a449beb0a2f57e408aa20985a8282fb83b
NanoCore
06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b
NanoCore
2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c
NanoCore
34f1b02bdccebe61deb518957acd32c9a64ce358102db3be15ed7d46f9945004
NanoCore
49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4
NanoCore
732af876d4a5f421064389d615971a380c530252032d40651f058dde13798693
NanoCore
83a8770b696746dc54258ee42b776a69feb8f2bff538b50d840dcbbe9f80cfe5
NanoCore
91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582
NanoCore
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
NanoCore
df0c82790a3c6e0f1280a03ba2bc07e239a8119f8ae9d78108ec0bdfa93d8c36
NanoCore
+ 1'271 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Link:
https://tria.ge/reports/200811-6zcp9xggzn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
vreme.ddns.net:1133
185.244.30.251:1133
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NanoCore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/43182/
  
URLhaus
https://urlhaus.abuse.ch/url/428989/
  
Delivery method
Distributed via web download

Comments