MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3819ae41f2ca9955cb15ce989dbc0ec79698e0ce18e58fa973f48dbb932a3997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3819ae41f2ca9955cb15ce989dbc0ec79698e0ce18e58fa973f48dbb932a3997
SHA3-384 hash: 29e89babdbec12f9e3d326b85447452dbe251e9643b96c9d22e8a0e75f3037a4ced1dc8f71d293dec265826d5cf8f637
SHA1 hash: e5ef978bac00b8117bbe0dbe2c6eed66d3140543
MD5 hash: eed760e497a3dd0323f4e9623cf4f953
humanhash: edward-hydrogen-xray-oranges
File name:BILLING STATEMENT.pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'020'040 bytes
First seen:2021-05-17 08:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:PQnk3GDYKGcblqQJ8yJskpz60CZV9n+szukLFoEVwjPb836B1WgZsjZoQ9P+rlkT:BAOcZpJBJ3W/lFFoEVwjTpW2so0UBX4
Threatray 2'371 similar samples on MalwareBazaar
TLSH C5251202FAD28C72D5731932592577126D7DBE205F34EA2FB3E4586DEE301816628FA3
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.19.85.139:9036

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.19.85.139:9036 https://threatfox.abuse.ch/ioc/43912/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BILLING STATEMENT.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-17 08:18:13 UTC
Tags:
rat nanocore trojan
Link:
https://app.any.run/tasks/328382d3-45eb-40bb-955c-1a78f0f103cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157785/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% directory
Adding an access-denied ACE
Launching a process
Deleting a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/783342
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 415743 Sample: BILLING STATEMENT.pdf.exe Startdate: 17/05/2021 Architecture: WINDOWS Score: 100 43 shahzad73.ddns.net 2->43 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 12 other signatures 2->55 10 BILLING STATEMENT.pdf.exe 39 2->10         started        13 rbtkj.pif 2->13         started        16 RegSvcs.exe 2 2->16         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\...\rbtkj.pif, PE32 10->37 dropped 18 rbtkj.pif 1 3 10->18         started        69 Writes to foreign memory regions 13->69 71 Allocates memory in foreign processes 13->71 73 Injects a PE file into a foreign processes 13->73 22 RegSvcs.exe 2 13->22         started        24 conhost.exe 16->24         started        signatures6 process7 file8 35 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 18->35 dropped 57 Multi AV Scanner detection for dropped file 18->57 59 Writes to foreign memory regions 18->59 61 Allocates memory in foreign processes 18->61 63 Injects a PE file into a foreign processes 18->63 26 RegSvcs.exe 9 18->26         started        signatures9 process10 dnsIp11 45 shahzad73.casacam.net 185.19.85.139, 49732, 49739, 49740 DATAWIRE-ASCH Switzerland 26->45 47 shahzad73.ddns.net 26->47 39 C:\Users\user\AppData\Roaming\...\run.dat, data 26->39 dropped 41 C:\Users\user\AppData\Local\...\tmp37DC.tmp, XML 26->41 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 26->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->67 31 schtasks.exe 1 26->31         started        file12 signatures13 process14 process15 33 conhost.exe 31->33         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3819ae41f2ca9955cb15ce989dbc0ec79698e0ce18e58fa973f48dbb932a3997/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 08:16:12 UTC
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ham24qpszkmvlsyvz2mj3paoy6ljrygoddsy7klt6sg3xezkhglq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
19c0312864d584912db9c26e1e52470276c02e8a309a8f9d58be6df48f50452f
NanoCore
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
NanoCore
7044d232a489bff666d788729e41db7c74ad7f0d94f1a212fce0694855ecd899
NanoCore
90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
NanoCore
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
NanoCore
ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561
NanoCore
b4457b3e745bbed3ab4d61442ae846c3a06d42280c2937e406e48fea05fed6e0
NanoCore
e777a395f2d28d4b57113b46bb4af52ec1e6d1d48342d0fb24a142df1fffbdc7
NanoCore
f2597b91433ba86188dd0e53cf04d2c43d97f5231bc3077df18e75447f15c77c
NanoCore
f5b99bdcb3a09ccef9455e82dff1902b6913280d293be51d87de78fc418e9f72
NanoCore
+ 2'361 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210517-2bvsqm8pns/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
shahzad73.ddns.net:9036
shahzad73.casacam.net:9036
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3819ae41f2ca9955cb15ce989dbc0ec79698e0ce18e58fa973f48dbb932a3997

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157785/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-17 09:33:11 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
1) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
2) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
6) [F0004.007] Defense Evasion::Bypass Windows File Protection
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0040] Process Micro-objective::Allocate Thread Local Storage
21) [C0017] Process Micro-objective::Create Process
22) [C0038] Process Micro-objective::Create Thread
23) [C0041] Process Micro-objective::Set Thread Local Storage Value
24) [C0018] Process Micro-objective::Terminate Process