MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c01956cb3c943f326be2faf3d36c147918724d1813e0fea8ab4df3ef79cb714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c01956cb3c943f326be2faf3d36c147918724d1813e0fea8ab4df3ef79cb714
SHA3-384 hash: e69fa1ee6d7dad508b98fde13defbf356fc8ee8a89d4d5f7c32976569de64f4c95573bce1588c27f0ca992d524c4893f
SHA1 hash: 30926379e6a0096325ba3800730bec73eb1943ca
MD5 hash: b9b6999a2076ed9746a2b0169327be6c
humanhash: california-muppet-river-blossom
File name:SpecPDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:499'100 bytes
First seen:2021-04-22 06:20:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:epwkVfVJsJTtAm+7Jx1zCBExiBsrvJfw2+oDhX+K2s/pFf:0wkVfgoB8srvJ0oZdnJ
Threatray 1'799 similar samples on MalwareBazaar
TLSH FCB4CF336226FCC91B7F2D80B60829520C68789BA366516CFEC60DED69F6644DF5C4F8
Reporter abuse_ch
Tags:NanoCore RAT vbs


Avatar
abuse_ch
NanoCore C2:
179.43.166.32:11940

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.43.166.32:11940 https://threatfox.abuse.ch/ioc/9452/
179.43.166.32:10090 https://threatfox.abuse.ch/ioc/9453/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/143546/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Creating a file
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file in the %AppData% directory
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692333
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Potential malicious VBS script found (has network functionality)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395100 Sample: SpecPDF.vbs Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 11 other signatures 2->60 9 wscript.exe 3 2->9         started        13 Notepads.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\f.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\Temp\e.exe, PE32 9->34 dropped 66 Benign windows process drops PE files 9->66 68 VBScript performs obfuscated calls to suspicious functions 9->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 9->70 15 e.exe 14 7 9->15         started        19 f.exe 9 9->19         started        36 C:\Users\user\AppData\...36otepads.exe.log, ASCII 13->36 dropped signatures5 process6 dnsIp7 38 C:\Users\user\AppData\Roaming38otepads.exe, PE32 15->38 dropped 48 Antivirus detection for dropped file 15->48 50 Machine Learning detection for dropped file 15->50 22 Notepads.exe 2 15->22         started        26 wscript.exe 1 15->26         started        42 sys2021.linkpc.net 179.43.166.32, 10090, 11940, 49702 PLI-ASCH Panama 19->42 44 191.96.25.26, 11940, 49724, 49726 AS40676US Chile 19->44 40 C:\Users\user\AppData\Roaming\...\run.dat, data 19->40 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->52 file8 signatures9 process10 dnsIp11 46 sys2021.linkpc.net 22->46 62 Antivirus detection for dropped file 22->62 64 Machine Learning detection for dropped file 22->64 28 schtasks.exe 26->28         started        signatures12 process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c01956cb3c943f326be2faf3d36c147918724d1813e0fea8ab4df3ef79cb714/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 17:35:17 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqazk3ftzfb7gjv6f6xt2nwbi6iyojgrqe7a72ukwtpt5544w4ka._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
0ad20f0250bd8ca78fc03372babbcb4cff528a5cbb204152f759dd21c3b116ba
NanoCore
0e206f1cf56315c1d4245ca01cac08ebab51decab43760d40e43a754d27da7b6
NanoCore
436b62b367396313b45d402db522aaed95f7adb59e1b18bdad6747f9daf64fe9
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17
NanoCore
b072b0366298e08222df44403adc8f67f5561d4da7c20df80198b9177e3d1364
NanoCore
ca17a69a46caf3e05a1cd8bf2f1d6679b55aa6ecf46ee63bf323ee892f88f80e
NanoCore
cce5d9e4fd5ca9142510f3b21d0a73906171e90a815520985687dde13b6e643d
NanoCore
e11f59ce9dae9fcff7ff4c8d3d119dd663a1918d084f8cda7b30c474cd141642
NanoCore
f29b0b35d584de9410f3ffe75e8e4dbc6d90ecbc6f2c4d9382d8faf33e88d80b
NanoCore
+ 1'789 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:nanocore evasion keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/210422-zdlcnwmhb6/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks whether UAC is enabled
Executes dropped EXE
Async RAT payload
AsyncRat
Contains code to disable Windows Defender
NanoCore
Malware Config
C2 Extraction:
:
sys2021.linkpc.net:11940
191.96.25.26:11940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c01956cb3c943f326be2faf3d36c147918724d1813e0fea8ab4df3ef79cb714

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143546/

Comments