MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f
SHA3-384 hash: 7abeda8dc5148d137885dc3e287b676bb4b44f0325808f6aa4e8e1cc721599f19232f7098ec6dbca72d7b6b9de00578d
SHA1 hash: 87fdd3f035d4f0531ade11e7c12e04f9218c1b3a
MD5 hash: d678db04e2904a91787b097d251db360
humanhash: river-ack-jersey-vegan
File name:NEW ORDER 50708, 61062.scr
Download: download sample
Signature NanoCore
Create hunting rule
File size:996'352 bytes
First seen:2022-12-16 18:52:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'636 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:DLPc8ujAuYXBspO+qWecaxdYbvvToO8KxXGia:D4tjA7XBsNRaXyv7oONgi
Threatray 10'866 similar samples on MalwareBazaar
TLSH T1F3254A1D9BCCE6B0EFD3BEF2066A6FD02A02EDD81E53A159493F719D0D30210F926965
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5944c4d8ccd4d06d (2 x NanoCore)
Reporter Anonymous
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
NEW ORDER 50708, 61062.scr
Verdict:
Malicious activity
Analysis date:
2022-12-16 18:54:26 UTC
Tags:
nanocore
Link:
https://app.any.run/tasks/6793e082-4f13-42fd-83c6-26b13dea891d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347084/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

Porcupine.MSIL.Kryptik.AHLA.62230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639cbe8f73102ebf5216d22d/reports/14caa848-8ab5-430a-ae76-645e4541f92c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00bdc66a-bc3c-473d-833a-446dd12315be
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135928
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768658 Sample: NEW ORDER 50708, 61062.scr.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 15 other signatures 2->73 8 NEW ORDER 50708, 61062.scr.exe 7 2->8         started        12 gwzhqPgwH.exe 5 2->12         started        14 NEW ORDER 50708, 61062.scr.exe 2->14         started        process3 file4 57 C:\Users\user\AppData\Roaming\gwzhqPgwH.exe, PE32 8->57 dropped 59 C:\Users\...\gwzhqPgwH.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmp4731.tmp, XML 8->61 dropped 63 C:\...63EW ORDER 50708, 61062.scr.exe.log, ASCII 8->63 dropped 77 Adds a directory exclusion to Windows Defender 8->77 16 NEW ORDER 50708, 61062.scr.exe 8 8->16         started        21 powershell.exe 19 8->21         started        23 powershell.exe 21 8->23         started        33 3 other processes 8->33 79 Antivirus detection for dropped file 12->79 81 Multi AV Scanner detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 35 3 other processes 12->35 85 Injects a PE file into a foreign processes 14->85 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        29 schtasks.exe 14->29         started        31 NEW ORDER 50708, 61062.scr.exe 14->31         started        signatures5 process6 dnsIp7 65 timduckdns0123.duckdns.org 105.113.17.23, 52095 VNL1-ASNG Nigeria 16->65 55 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 16->55 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->75 37 schtasks.exe 16->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        file8 signatures9 process10 process11 53 conhost.exe 37->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 10:05:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gt2fb3ayjqjyfwsl7ofshiasodthq3rlhkkboc5fgdorrgn7wmxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42
NanoCore
2bb8b8717844a531b62af7b3a84d1457e749803babec6b25c473626006e4a85a
NanoCore
2ce431fd24a816b14cf7bc9110b959addbe592c8994c7cc8f5b83b8b836ccd93
NanoCore
556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed
NanoCore
645133b4edd49ca521a1474f406ad09ac6c2511a7abb49279681da9c25e19275
NanoCore
66bfee7c40de7f8f6e9d20b337fc22d9eec1a5a1764d3b29c26639ebdeeddc71
NanoCore
672b918c5c82cfed617eeca2ab662854d2e9feef0031f7a72025962f3ee867ca
NanoCore
90a12c6f1f1a444359902cea58e65e053edc3997be8b5b564a06a5072c0e334e
NanoCore
b222eba2cd4a7a37d8b38083130df60200958d6cd0175c8e827e30a6b434c452
NanoCore
d5c2951b5fada26015c7b4520529d7c24f285aaccdae3768956513c86cf4195d
NanoCore
+ 10'856 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221216-xjlq1afc94/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
timduckdns0123.duckdns.org:52095
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e674ba3c-d126-4a24-9907-bd745c492dbe
Unpacked files
SH256 hash:
92912d79baf14711d873ffe42d9dd7a4ff3b4b33de4fa92932dd41e0874f8fe0
MD5 hash:
8a85beee923f36d2e7268cd436a11029
SHA1 hash:
ee8ef855ed65b676b7d2e28e1c0e01906de6245f
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
SH256 hash:
2485fb22dc9d5de750139afbd1844405f41bbe6d22754a8604802e58a3b3cf6a
MD5 hash:
db6706c645447d153eba53a73130d5a1
SHA1 hash:
5ff031e3a32df3377f609a853d0b295498c2e2a1
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
SH256 hash:
0973b98333032ec64bbefd1973259508b0e02cf3f6709cf36ab232e6f204e277
MD5 hash:
c6584223cfb1d6be4435d6c500c5952c
SHA1 hash:
5da340b873e00633080859a414b3fbf79e74d75d
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
SH256 hash:
b74718e1d3000bb9e56ff40cbb6efa1f7612e1799bd8bcef3b53d479c3e174aa
MD5 hash:
e57d249fac3479ec8a1ffac2b309681f
SHA1 hash:
54834b0d1c1eb3988c92ea708fcb20945e86010b
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
Parent samples :
25d056bc969802e62370d8876bab34af292714b1af384ad8a086ea7ee8bdee20
58baa4293f2d7c819ba619c08d1e4ce26e859a9efb05cd1289bd09c4880985f6
0f0929204a823b8c707af1608942900a2f09a42fc34e3c14560db4df7c4034b1
34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f
SH256 hash:
34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f
MD5 hash:
d678db04e2904a91787b097d251db360
SHA1 hash:
87fdd3f035d4f0531ade11e7c12e04f9218c1b3a
Link:
https://www.unpac.me/results/171214ec-bc9c-4e90-b46f-04aa2ee4fcf3/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34f450ec184c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 34f450ec184c1382da4bfb8b23a01270e6786e2b3a94170ba530dd1899bfb32f

(this sample)

  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/347084/

Comments