MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c
SHA3-384 hash: 63516b190df20a444e60e4670218e0aeb624405381ea0eddd3fce442617f0431fe552d07bf1837d04d4be792f1879fac
SHA1 hash: c4de0230aa61e6b4144bfd54975d1e9dabed5813
MD5 hash: f53d6e1575c084ae7452bc24d98caa58
humanhash: moon-hot-stream-dakota
File name:Teklif Talebi6726272662.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:348'658 bytes
First seen:2023-03-29 06:05:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:j89r/aDcWJwG0mtvR/Eg5TaVVaUtb+scmB6sMz80B:KtqZ
TLSH T1D9745EC039E99004A2D27D878F5FFE6E073FB6EA9438DE5988EC0A8D27DE54144127D9
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:NanoCore RAT vbs


Avatar
abuse_ch
NanoCore C2:
141.98.6.231:6318

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378367/
Detection(s):
Sanesecurity.Malware.29053.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6423d54a8e162174987d4eaa/reports/f172cd0b-f850-4df0-b3b3-d88bb02bba55/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204038
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836954 Sample: Teklif_Talebi6726272662.vbs Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 7 wscript.exe 1 2->7         started        10 dhcpmon.exe 2 2->10         started        12 dhcpmon.exe 1 2->12         started        process3 signatures4 47 VBScript performs obfuscated calls to suspicious functions 7->47 49 Suspicious powershell command line found 7->49 51 Wscript starts Powershell (via cmd or directly) 7->51 53 Very long command line found 7->53 14 powershell.exe 14 7 7->14         started        18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        process5 dnsIp6 37 84.54.50.76, 49689, 80 LVLT-10753US Germany 14->37 57 Writes to foreign memory regions 14->57 59 Injects a PE file into a foreign processes 14->59 22 RegSvcs.exe 1 11 14->22         started        27 conhost.exe 14->27         started        signatures7 process8 dnsIp9 33 telenaxty.ddns.net 141.98.6.231, 49690, 49693, 49700 CMCSUS Germany 22->33 35 192.168.2.1 unknown unknown 22->35 29 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 22->29 dropped 31 C:\Users\user\AppData\Roaming\...\dhcpmon.exe, PE32 22->31 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->55 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-29 02:23:22 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggw4dxjicrmxnlrfx2lnzxlxro46f55lzdcdp2m63wps2pslq4wa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230329-gtqvpsgf2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
NanoCore
Malware Config
C2 Extraction:
telenaxty.ddns.net:6318
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31adc1dd2814/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Nanocore_d8c4e3c5
Create hunting rule
Author:Elastic Security
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378367/

Comments