MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a
SHA3-384 hash:	8023b46edfc74ab0e3a63af19394d024d87d664511cd03cf3b5d4ccb85a69ee15ae5801c76f49e1cc2c7f11bd4faa452
SHA1 hash:	00a43608bd1570bb51b55f54edf33fc1d181012e
MD5 hash:	c82aae78260a49a2b98d76f5f0edeaa2
humanhash:	sink-glucose-yellow-paris
File name:	c82aae78260a49a2b98d76f5f0edeaa2.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	706'560 bytes
First seen:	2021-02-23 17:40:23 UTC
Last seen:	2021-02-23 20:00:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:mYsIa7EcKNrc7QDlE+5bo1M9AdwqkKnzrLFAdkavqv6IX5:mCa+qMRjbo1M9AZ
Threatray	1'872 similar samples on MalwareBazaar
TLSH	3EE45A7C723074AEC40F887B9964DC2052227826473FA1367B17F15C451E6B2AA5FEAF
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore RAT C2:
45.15.143.249:7890

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/118760/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42850.12663.10446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/615804

Signature

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a/

Threat name:

ByteCode-MSIL.Trojan.Strictor

Status:

Malicious

First seen:

2021-02-23 17:12:37 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gg5fdg7cciwvwnypyku2o6mwj6oty635wjvetsypp42amnqsyafa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

23c992572207103a5fb54631a8dedf4206450604880d02bc046f353721805cc2

NanoCore

4ca8b2b5f0644443aa9a514e211ee81d544fc6554734ff01609c03b733823881

NanoCore

53006066e227644c4004569894469b03cf75c1b88c9adc903437cad16508e1f9

NanoCore

6ce920a9bc60cc2388297a52758765c835b0ee670b42e5b965ae0731efcf24ec

NanoCore

91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680

NanoCore

a9e29436ef50f76f0d8c46e62205491e8acbea0e22f38fcbd5d38719264897d1

NanoCore

aec83b31afe9607016c7698162d85240a7a17d5399b99bb92572fa36f173e738

NanoCore

cce5d9e4fd5ca9142510f3b21d0a73906171e90a815520985687dde13b6e643d

NanoCore

f1f3d5f8746c283035bd87b68edf20257627350539b9527a2e765ffd49008906

NanoCore

+ 1'862 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210223-rkscb4s4bj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

NanoCore

Malware Config

C2 Extraction:

45.15.143.249:7890
helpout.duckdns.org:7890

Unpacked files

SH256 hash:

78005accdd06830d7903e3516431d34d6d003a855f30945f18a30cc3cb4f4d69

MD5 hash:

07c7396c6a11778a86bda32a868345c8

SHA1 hash:

3eeb0780cb9c6031702d2a975e939e0ee74f87d7

Link:

https://www.unpac.me/results/8c41e3cf-38e4-4972-ac15-9707858e1e53/

SH256 hash:

d36d226da4a43e0a36c40b855f7a0051c209e7b6d4bd13ad36671264d4ea668c

MD5 hash:

e696452ee72857c8f8555a816faf8268

SHA1 hash:

39862506bf24caf2e1abde0c73483a1bf7aa7548

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/8c41e3cf-38e4-4972-ac15-9707858e1e53/

Parent samples :

31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a
962debf4655a7917256ad3234217b1927a2c88afd4631ed8258121c5b9e2dfee

SH256 hash:

f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671

MD5 hash:

f984a71581f6da5732110be2a569a392

SHA1 hash:

10de05b6b35fc5dbc00c42d59a4b850bcaae01e6

Link:

https://www.unpac.me/results/8c41e3cf-38e4-4972-ac15-9707858e1e53/

SH256 hash:

31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a

MD5 hash:

c82aae78260a49a2b98d76f5f0edeaa2

SHA1 hash:

00a43608bd1570bb51b55f54edf33fc1d181012e

Link:

https://www.unpac.me/results/8c41e3cf-38e4-4972-ac15-9707858e1e53/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/31ba519be2122d5b370fc2a9a779964f9d3c7b7db26a49cb0f7f34063612c00a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/118760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample