MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34
SHA3-384 hash: b401349639791d82aa2c1b6ecffeff5685611ca17076c4d8db5d936de55462c756847d6bf532679b93e3449d1a57e245
SHA1 hash: f8b3147951a9fe14ca924ce7638e69181954a739
MD5 hash: 2f2c16cae85db2580498752d524f365d
humanhash: aspen-island-mirror-four
File name:zAlNQ6GMGIHd4EB.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:864'768 bytes
First seen:2020-10-12 06:21:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:fhOlIGH8e802q7msbViglmgSHsKw9TskOsBwbvvooO7gBYChOsyENgKidWw:MldPmsbVBlmTwhsk1edsshOsGdX
Threatray 1'138 similar samples on MalwareBazaar
TLSH CD05F06136B85F86D17E9BF90624255013F46E1B386EF20D2EC225EF5AB5F829200F77
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69968/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488052
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296484 Sample: zAlNQ6GMGIHd4EB.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 10 other signatures 2->47 8 zAlNQ6GMGIHd4EB.exe 8 2->8         started        12 RegSvcs.exe 4 2->12         started        process3 file4 29 C:\Users\user\AppData\...\xNqBATmvHvmE.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp183A.tmp, XML 8->31 dropped 33 C:\Users\user\...\zAlNQ6GMGIHd4EB.exe.log, ASCII 8->33 dropped 49 Writes to foreign memory regions 8->49 51 Allocates memory in foreign processes 8->51 53 Injects a PE file into a foreign processes 8->53 55 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->55 14 RegSvcs.exe 10 8->14         started        19 schtasks.exe 1 8->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 37 79.134.225.103, 1985, 49733, 49735 FINK-TELECOM-SERVICESCH Switzerland 14->37 35 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->35 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 03:20:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fc3a322ky6owjf4rpp5tjduszgb4pwff6lv5e7vdafbr2hxhpu2a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
042e32eb8970e6dd8e767bb75bc25b3325c314783b9c3bb365727584dba4d918
NanoCore
054b7c5d38a00ecfc40168d4dc21610139c5ab6a46d2a0e851ef100397d5e5e9
NanoCore
1fb23de8da95ef200663ec6bffe9a439b6c39927559b5e103a488cf54355ebad
NanoCore
35053de930782e8179e3721c8927c499b71dc9926db872b722fe8b5ec5b300b2
NanoCore
4255ae6b31d6068463b663c1871ac8cee3461b0d3fbf642f96cf9a3e8817803c
NanoCore
792259d9e6e262d17cc54f4b43c8e95cd0be1e533f5e5032a5cdefb9f899a6a2
NanoCore
b0f6052c071380b0413ba33ab5f888442bba649614a7102ade644d7195487bed
NanoCore
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
NanoCore
f4b7759a1a42ebd89a61ed697ca26661dff56719bbf254b7b1f400f3cf4487d1
NanoCore
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
NanoCore
+ 1'128 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/201012-q9d2we1zbe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
79.134.225.103:1985
Unpacked files
SH256 hash:
28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34
MD5 hash:
2f2c16cae85db2580498752d524f365d
SHA1 hash:
f8b3147951a9fe14ca924ce7638e69181954a739
Link:
https://www.unpac.me/results/fb70b6ee-e183-4a18-a468-943ed5eb3926/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/fb70b6ee-e183-4a18-a468-943ed5eb3926/
SH256 hash:
b60be48392dc2973d2bc8c4ad3bfd4d7706d6008bba50add57fa75a142485697
MD5 hash:
80489be5b88b7407141fd5b216c34a9a
SHA1 hash:
870706b0b6a7ee59227ab6f35bf71a779ef3c4eb
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/fb70b6ee-e183-4a18-a468-943ed5eb3926/
Parent samples :
85f95dab2beb3b902b643d41c5265cfe2c501b2edaeb9cdf0048d33781804776
76bbef6a12a37e8031b7384b01ec361032d314edb983d318da3665d00a9e3442
d03cb8f1bef2e072243235b214adfcbd3e03377a5f3d8753d5025ef35a1666bc
a041901d7e7a00b59fb1c4a4e1b2cdb7e9acd7c554d0a13412e658cb42cf0d5b
28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34
6d7777a351cb283a611a6886d28645bffbea5cb7b791924221119a35d606472a
bb0fecab55ccc71d84ab14fb8bbc6d00af4544c2908955f71dd5afabfb7f0f29
SH256 hash:
c38478d3e66cef6419e36706b38f9e5d69e9be313ebd7eed59bd7f384e30b934
MD5 hash:
752513b413c7fb548990d4e53c80ffbe
SHA1 hash:
d68b873b551468b6f077a7093fdefaed37a0ee6d
Link:
https://www.unpac.me/results/fb70b6ee-e183-4a18-a468-943ed5eb3926/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 28b60deb4ac79d6497917bfb348e92c983c7d8a5f2ebd27ea301431d1ee77d34

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69968/

Comments