MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dc9838107abe50dfcd90972d2e1a5a8e2aa6e735723fa635927bd4ddb790e81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 9 File information Yara 5 Comments

SHA256 hash: 3dc9838107abe50dfcd90972d2e1a5a8e2aa6e735723fa635927bd4ddb790e81
SHA3-384 hash: 15c9a8460959915b5305af586dcd5812372b5ba3c22f0fa38b7421bb909ce219c2dfb67187d65044615614e6683f4bae
SHA1 hash: 380d5b896297a83dc3c3ad6a86c6f9eeaa72fdd7
MD5 hash: be46a654b9b6fef849466ea92d54cc1b
humanhash: potato-hydrogen-red-oklahoma
File name:SecuriteInfo.com.Trojan.PackedNET.362.7860.17521
Download: download sample
Signature NanoCore
File size:610'304 bytes
First seen:2020-08-01 19:36:51 UTC
Last seen:2020-08-02 07:34:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:VRJ/cvyuHBxa73sIqo11qe6Fl7fDRQ7on/DYYHSB8QswDx7DLtkZWvSto:DJkfMjmM1EVQ7onrYYNQswF7DLqaS6
TLSH 1CD4122DD65DC63ECBEFED39E1416244C73D9243A983FF831A5839998A1B3C858139C6
Reporter @SecuriteInfoCom
Tags:NanoCore

Intelligence


File Origin
# of uploads :
2
# of downloads :
47
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Agenttesla
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a file
DNS request
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Status:
Malicious
First seen:
2020-07-01 12:23:57 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
Extraction:
79.134.225.12:1996
mogs20.hopto.org:1996

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 3dc9838107abe50dfcd90972d2e1a5a8e2aa6e735723fa635927bd4ddb790e81

(this sample)

  
Delivery method
Distributed via web download

Comments