MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NanoCore
Vendor detections: 16
| SHA256 hash: | 3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9 |
|---|---|
| SHA3-384 hash: | 661f6d243dba437f75e14c945ee3e45d722bd3036a48fcf8c692947d041b029abac9deb8ce0535b29d04763a325153fc |
| SHA1 hash: | 52404c72c4bf8081954182361d56bc0782246a6b |
| MD5 hash: | 9dfa49df5417230c1f47e98bcaa03b7c |
| humanhash: | lake-north-mexico-washington |
| File name: | T.T Copies.exe |
| Download: | download sample |
| Signature | NanoCore |
| File size: | 591'872 bytes |
| First seen: | 2022-07-22 13:05:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger) |
| ssdeep | 12288:oi31h3B7kc2lLc+HJvQM7yq6woHGF+Fx8:omx74lLcEQaolFx |
| Threatray | 4'919 similar samples on MalwareBazaar |
| TLSH | T130C4018F68AC932BE4788BB91027C93753793D36EE73F74A7D8530C790967A20215297 |
| TrID | 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| Reporter |  James_inthe_box |
| Tags: | exe NanoCore |
Intelligence
File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
ID:
1
File name:
T.T Copies.exe
Verdict:
Malicious activity
Analysis date:
2022-07-22 13:11:26 UTC
Tags:
rat nanocore trojan
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Verdict:
Malicious
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Taskun
Status:
Malicious
First seen:
2022-07-22 03:24:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 25 (76.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
nanocorerat
Similar samples:
+ 4'909 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Score:
10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
suricata: ET MALWARE Possible NanoCore C2 60B
NanoCore
Malware Config
C2 Extraction:
derananocore.ddns.net:1187
194.87.84.118:1187
194.87.84.118:1187
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
a28e31c5b53bfd48c9c5f6bc60e56a6f5ee05e0731059864e24eba9ccf1c9830
MD5 hash:
39eb428bead73b0db06fc731ce2552db
SHA1 hash:
9b598c314b13158e4b26af8c7f3e433dc243f0af
Detections:
win_nanocore_w0
Parent samples :
3e80a90fb4fe1eeca3ac51cf9638c21c3b06af889b5f51c859e6d7f7b21e4bb7
c2fed3fc8ca8e6b37a62f9cc8553d6d84da928bb905b28ae4fdd03e20aea47e6
1110053492bbf37ea59000b2467ef4e2a4d293af2778ef38b4f75a68639cff96
2a52d3a84b0c4748f5344aa6f6b1bf6c92e1f13aa82f2c4d42edc5c9c30ff0e5
10719517c091034e447d93a999e4797a32bdea3c651601ded9560fca01087cab
de7bcd7ffa573ffb32e5523cdea0a0fa39bde98a4610f9e791720fa33bf7207a
23c4426e903f6582e520db422c88f2c9d9625a03c9c5afc5851ef858185fba7d
324a3f0c9fac643114fe51b2a69d7a940c674bcdbe42d3b28ddd38515e51fda4
47279d407828a63158a5b61fb5abe7a77faa45a1d31482f2638e013a56d3a9ed
0e519e0e3a0e92f7d7dc9b39de8d22b11acdee0d4413d2d9196b0eb8ef74e69f
e629b1d837f98beae09794819083b7678858b582432c2274e3e67a6996cea5cc
3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9
bc76c9c1e2dde9ae01813b543363c72242aabcbeea23ab3762eb9221ba7c2bed
38b1dc910ecaa9c25ad45148e388d581337d98103b00ef5ecf1075142b168470
02c9c66134224bf915b80d3145e19a30a27cc8572d78bb629a379f01478daea6
0522570865339a7919c276377fc340218e87899d65d95651f202f30e4832a301
c2fed3fc8ca8e6b37a62f9cc8553d6d84da928bb905b28ae4fdd03e20aea47e6
1110053492bbf37ea59000b2467ef4e2a4d293af2778ef38b4f75a68639cff96
2a52d3a84b0c4748f5344aa6f6b1bf6c92e1f13aa82f2c4d42edc5c9c30ff0e5
10719517c091034e447d93a999e4797a32bdea3c651601ded9560fca01087cab
de7bcd7ffa573ffb32e5523cdea0a0fa39bde98a4610f9e791720fa33bf7207a
23c4426e903f6582e520db422c88f2c9d9625a03c9c5afc5851ef858185fba7d
324a3f0c9fac643114fe51b2a69d7a940c674bcdbe42d3b28ddd38515e51fda4
47279d407828a63158a5b61fb5abe7a77faa45a1d31482f2638e013a56d3a9ed
0e519e0e3a0e92f7d7dc9b39de8d22b11acdee0d4413d2d9196b0eb8ef74e69f
e629b1d837f98beae09794819083b7678858b582432c2274e3e67a6996cea5cc
3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9
bc76c9c1e2dde9ae01813b543363c72242aabcbeea23ab3762eb9221ba7c2bed
38b1dc910ecaa9c25ad45148e388d581337d98103b00ef5ecf1075142b168470
02c9c66134224bf915b80d3145e19a30a27cc8572d78bb629a379f01478daea6
0522570865339a7919c276377fc340218e87899d65d95651f202f30e4832a301
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
SH256 hash:
842ee51beb0704e1391da0636816939146fcd415255d153cbfb6bdb23f706987
MD5 hash:
3bdfcec1290f0f0274f74241aa971d71
SHA1 hash:
4091025af1f67e941d930bdd288fbafb8563c7e6
SH256 hash:
7e648d39e91c83ab6d506391a8b3d40ae43158e7b9b08f5b1aeaef575cccb637
MD5 hash:
f9fd45c94f360f1f5c4da8c3552e4d95
SHA1 hash:
0731942ae2e05632d7947a525804a0af9e16f838
SH256 hash:
3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9
MD5 hash:
9dfa49df5417230c1f47e98bcaa03b7c
SHA1 hash:
52404c72c4bf8081954182361d56bc0782246a6b
Malware family:
NanoCore
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_NanoCore |
|---|---|
| Author: | abuse.ch |
| Rule name: | malware_Nanocore_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Nanocore in memory |
| Reference: | internal research |
| Rule name: | MALWARE_Win_NanoCore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects NanoCore |
| Rule name: | nanocore_rat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | Nanocore_RAT_Feb18_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Nanocore RAT |
| Reference: | Internal Research - T2T |
| Rule name: | Nanocore_RAT_Feb18_1_RID2DF1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Nanocore RAT |
| Reference: | Internal Research - T2T |
| Rule name: | Nanocore_RAT_Gen_2 |
|---|---|
| Author: | Florian Roth |
| Description: | Detetcs the Nanocore RAT |
| Reference: | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
| Rule name: | Nanocore_RAT_Gen_2_RID2D96 |
|---|---|
| Author: | Florian Roth |
| Description: | Detetcs the Nanocore RAT |
| Reference: | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
| Rule name: | pe_imphash |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | win_nanocore_w0 |
|---|---|
| Author: | Kevin Breen <kevin@techanarchy.net> |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.