MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396b6c41ac9807ef01fb5b3be94474857c85cbad51c0b21855431552fe1876a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	396b6c41ac9807ef01fb5b3be94474857c85cbad51c0b21855431552fe1876a0
SHA3-384 hash:	458763342e8426e1c8c7d287bbe1ba2282fb5ff70d1cc8c18f7a7800bde2ffa1c5a6b9b0b7020b9f6c23aac2077a3e13
SHA1 hash:	a2dab08cc0b6419a063aca09245a9be5093307fe
MD5 hash:	2c9db9da55b4521687e0838353f9a0ff
humanhash:	oklahoma-single-one-idaho
File name:	list of requied order.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	664'064 bytes
First seen:	2020-08-10 13:06:24 UTC
Last seen:	2020-08-10 14:03:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep	12288:3ssqfDGWxEa8iAxLf297+bmZ/FPdx1poNi6:eGWeRiAxjACCvPdjuNi6
Threatray	2'142 similar samples on MalwareBazaar
TLSH	BDE46C1CAC6C8C10CB151777C589A81E5268AC027BF1D9EF7B8B321B43797F2A6711AD
Reporter	abuse_ch
Tags:	exe Hostwinds NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

HELO: hwsrv-758891.hostwindsdns.com
Sending IP: 104.168.203.3
From: Afzal Abdulla <info@loburig.com>
Subject: Fw: List of required order 10-08-2020
Attachment: List od requied order.r01 (contains "list of requied order.exe")

NanoCore RAT C2:
mn255.freeddns.org

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/42777/

Detection(s):

SecuriteInfo.com.Generic.mg.2c9db9da55b45216.2240.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/416949

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Detected Nanocore Rat

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/396b6c41ac9807ef01fb5b3be94474857c85cbad51c0b21855431552fe1876a0/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2020-08-10 13:08:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfvwyqnmtad66ap3lm56srduqv6ils5nkhalegcvimkvf7qyo2qa._file

Verdict:

malicious

Label(s):

nanocorerat

agenttesla

NanoCore

44e32cacf45f4d123ecdee7dcde7f7b3280834aeb576d58fdd0bf78c8028db4c

NanoCore

4b99d1a940dfd192ed667c4ba4818e62f7af85cb6bf48cf967aa233dae912ea1

NanoCore

4ede93704fe2c1189b94f751273bceb736bf383055f282c074bc7650c80ada0e

NanoCore

656e99ec9ba18c70b338604ef390ce523a35339c8bc556ff2963ca2ce87baec7

NanoCore

78e55f5d97975e4cf6311a60737df82954d27fb24eaf463c76f2f4b544ce069d

NanoCore

8366973011083e5a6ddd8b602c3bfb70d6334e9a28a0113215197c97774d6b0c

NanoCore

9ca497f6231180ec374837cf77e099a25e8c5cffa16c6599739c92ee03a94d34

NanoCore

b3eea3acbb129b3be2fe22a3c4b4cff9663939b9783f41a9931aecdfb318dd7c

NanoCore

eb29cff78bd1361ba91bcc9abfba066afe030631bffbb0690a6ac9f407a4b5b6

NanoCore

+ 2'132 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200810-jf7kqeegs2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

mn255.freeddns.org:1605

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/396b6c41ac9807ef01fb5b3be94474857c85cbad51c0b21855431552fe1876a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/