MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d
SHA3-384 hash: 90264e0cd12b624f0e17d5aa8727832f4886d653755bd3b0223e74e74638fc50006c907cf2988a6d157b3aa772d90659
SHA1 hash: 18e60c3c8112b0681db538eb2c4c9bde7d590aaa
MD5 hash: 5aab72a04e08d18505e3b80390a61ba5
humanhash: lemon-mirror-leopard-berlin
File name:dutyx.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:954'368 bytes
First seen:2020-07-09 13:39:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep 12288:RVDQmQK44+3gCiU24vBV3RpqTf5RqH+YalI3QmMTP/DsgeA99RmpKZMj6e2YlmAi:zkAVCi74LofeHXecQmiDXeOzmHvVW
Threatray 3'246 similar samples on MalwareBazaar
TLSH ED159D2EB3904833C0631A3D8D5B6778982ABE512E28BA4BBFF55C4C5F396403935397
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23829/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.14887.31971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 04:09:34 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=flhwyi4yuew4s77sz3we6neo2yzyysvpwlop5msik3hykjwrfkoq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
38bf20255640821b131eaa9c22c16a6e55e61e18a6cd4e248aa07b919847d626
NanoCore
7259675aad35bed593ec88a0f96263e182eaac06043f25df3362eb29186d2cd1
NanoCore
7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d
NanoCore
8359e964cc6f542d0b069ece3e6529726d432b4946e054ac3b1c1bedcef2f7d8
NanoCore
8c597485c8789aeb7f4edef9a49fc83a39346ea4d9f31f51b92f27b77ed8af0d
NanoCore
a97663c4fdf7f3cdf524888ec2952bb015e77484d50627e185e67c8846bd8660
NanoCore
aaa969de94835c4f59740b9bc3463693142db72d094969962d353c6466c10cd5
NanoCore
d4d803a83e2c4c348972b6b8e5fce93416b0c60977a447818f592795505fdff1
NanoCore
e0d6344a846da96882dded2616661ce7b3f4011d05935c64d14e9ccf1a9965e2
NanoCore
f4dc1e741d3aef915ff984ff1346fc85ec3d37e9e89b275bb344e25c767751da
NanoCore
+ 3'236 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200709-km139zevmj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
79.134.225.75:21600
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/23829/
  
URLhaus
https://urlhaus.abuse.ch/url/410523/

Comments