MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c
SHA3-384 hash: 851fb93846436256fdb35e8cf5635f6f40ad373d655f8276a2e82dc3265b0c648f66bd34e9e308b8e91bbb9d735bf372
SHA1 hash: 5b2de3263b4bd762c69d9cdbaadba29145838a09
MD5 hash: d38d581e5121cf771f9324ab15c7c29a
humanhash: hydrogen-crazy-winter-red
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.52323.23110.27148
Download: download sample
Signature NanoCore
Create hunting rule
File size:559'616 bytes
First seen:2020-07-24 11:03:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ECROzOt8rvgwR9+w9eg8dOPZChB3+iUvWrFDz94R4xJ5mUwH:EdproALECChBjUva4U
Threatray 1'227 similar samples on MalwareBazaar
TLSH 99C412413F741915EB789ABF08B3D2424BF2D507B967AF8D1A9C38B56623B408507A3F
Reporter SecuriteInfoCom
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32181/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52323.23110.27148.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397308
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250919 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 8 other signatures 2->54 7 SecuriteInfo.com.Trojan.PWS.Siggen2.52323.23110.exe 2 2->7         started        11 HJdyTuap.exe 1 2->11         started        13 wpasv.exe 2 2->13         started        process3 file4 36 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 7->36 dropped 38 SecuriteInfo.com.T...52323.23110.exe.log, ASCII 7->38 dropped 56 Drops PE files to the startup folder 7->56 58 Maps a DLL or memory area into another process 7->58 15 RegAsm.exe 1 8 7->15         started        20 HJdyTuap.exe 11->20         started        22 RegAsm.exe 3 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 40 79.134.225.12, 49739, 49740, 49741 FINK-TELECOM-SERVICESCH Switzerland 15->40 42 185.244.30.251, 49736, 49737, 49738 DAVID_CRAIGGG Netherlands 15->42 30 C:\Users\user\AppData\Roaming\...\run.dat, data 15->30 dropped 32 C:\Program Files (x86)\...\wpasv.exe, PE32 15->32 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->44 46 Maps a DLL or memory area into another process 20->46 26 RegAsm.exe 2 20->26         started        28 RegAsm.exe 20->28         started        34 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 22->34 dropped file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 18:57:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuu52kcq6abdhx4p5ghk7kcvja5zfpzcj4h2ai6nh2zztawblz6a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
17481cdb2d9566e16b46d94992aaf665bc2414c67777b27ad8714904b46fb341
NanoCore
1c2fafc2031b76ab4caf3f91474f023321703a820209da4591192b6ca7cd09d2
NanoCore
32054245e75049e8f048f81d77b6404ba495d6b9026036781be7b3bfc5921efb
NanoCore
3d0df194232db838734552fb3dcad7b175c8f19963a766768d6fa158c50521f3
NanoCore
5349936f32f9d998a6b60cb20c1f8de9eca1f709d362877e2fe32d1a655310d2
NanoCore
5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5
NanoCore
67fef2f83af3da398f5e144ccc65e18d7d30b57f53d94658cd62fe53d5e3d81b
NanoCore
9af6516cda835f72d8c23f643d16035d6ed101bfcad887689d3c37a1cdfac91b
NanoCore
e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
NanoCore
f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211
NanoCore
+ 1'217 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200724-z6bp8wv5pa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Drops startup file
NanoCore
Malware Config
C2 Extraction:
185.244.30.251:5600
79.134.225.12:5600
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/418735/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32181/

Comments