MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b
SHA3-384 hash: 04815960413c3dbf1ec5b936353222461d70937cd81c54323043604b8835a4adbdcddc1ab9d7a9f0a7016b6d75f3e08e
SHA1 hash: 75bf36847b0e40040beadcf762c8c7d456700325
MD5 hash: 65fc8325f1267e27f78891801d9b68c5
humanhash: low-mike-cold-triple
File name:Doc0_01210_72820.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:727'552 bytes
First seen:2020-07-28 14:24:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash de8dfb437da223579ad1a02f0bcd4fd5 (4 x AgentTesla, 4 x Loki, 1 x FormBook)
ssdeep 12288:+YM1AJ/Y1Nda4YainuE5Ou1tFw0uKHFYbaEWeqdGlZ8qMCy5ESB6Vg:fWl1K4mOu9wsqaEp1wGyynVg
Threatray 2'696 similar samples on MalwareBazaar
TLSH 90F4BF32B2F04837C167267D9C1B976C9C2ABE433918AD566BE82D4C5F39381352A3D7
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33796/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.18000.23185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400579
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252645 Sample: Doc0_01210_72820.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 85 g.msn.com 2->85 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 16 other signatures 2->97 11 Doc0_01210_72820.exe 2->11         started        14 Doc0_01210_72820.exe 2->14         started        16 dhcpmon.exe 2->16         started        18 dhcpmon.exe 2->18         started        signatures3 process4 signatures5 107 Detected unpacking (changes PE section rights) 11->107 109 Detected unpacking (creates a PE file in dynamic memory) 11->109 111 Detected unpacking (overwrites its own PE header) 11->111 113 Contains functionality to detect sleep reduction / modifications 11->113 20 Doc0_01210_72820.exe 1 14 11->20         started        25 Doc0_01210_72820.exe 11->25         started        115 Maps a DLL or memory area into another process 14->115 27 dhcpmon.exe 14->27         started        29 Doc0_01210_72820.exe 14->29         started        31 Doc0_01210_72820.exe 3 14->31         started        33 dhcpmon.exe 16->33         started        35 dhcpmon.exe 3 16->35         started        37 dhcpmon.exe 18->37         started        39 dhcpmon.exe 18->39         started        process6 dnsIp7 87 185.140.53.135, 49735, 7031 DAVID_CRAIGGG Sweden 20->87 89 dera118.hopto.org 105.112.100.246, 7031 VNL1-ASNG Nigeria 20->89 75 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->75 dropped 77 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 20->77 dropped 79 C:\Users\user\AppData\Local\...\tmpCA78.tmp, XML 20->79 dropped 81 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->81 dropped 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->101 41 schtasks.exe 1 20->41         started        43 schtasks.exe 1 20->43         started        103 Maps a DLL or memory area into another process 27->103 105 Sample uses process hollowing technique 27->105 45 Doc0_01210_72820.exe 29->45         started        83 C:\Users\user\...\Doc0_01210_72820.exe.log, ASCII 31->83 dropped 48 dhcpmon.exe 33->48         started        50 dhcpmon.exe 37->50         started        file8 signatures9 process10 signatures11 52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        56 Doc0_01210_72820.exe 45->56         started        58 Doc0_01210_72820.exe 45->58         started        117 Maps a DLL or memory area into another process 48->117 60 dhcpmon.exe 48->60         started        62 dhcpmon.exe 48->62         started        64 dhcpmon.exe 50->64         started        66 dhcpmon.exe 50->66         started        process12 process13 68 dhcpmon.exe 60->68         started        signatures14 99 Maps a DLL or memory area into another process 68->99 71 dhcpmon.exe 68->71         started        73 dhcpmon.exe 68->73         started        process15
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 14:23:54 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fecajurv7sy72x2wk2rnjn2vifqqbqaf6j7x676l5v67zw44fivq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
4983921d3469aff39daaa738072cdf18171a7c98184a0a810c9d81daac7082e4
NanoCore
5ade9d2627b6dc5d38a850e6a49f6557a9d9c63d16fe0199496a5559a74e7956
NanoCore
612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b82f7a17d6e547b1b138
NanoCore
6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
aaa969de94835c4f59740b9bc3463693142db72d094969962d353c6466c10cd5
NanoCore
bf690b9b4ab2e0306b94b1a09431878786eb0fd6e858ac1f5d21c29a78b1f8d0
NanoCore
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
NanoCore
f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
NanoCore
+ 2'686 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200728-drw55r2caa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
dera118.hopto.org:7031
185.140.53.135:7031
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/33796/

Comments