MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4179d2225147aa72a656ca1afe21e7379506025d5d8e1da52a05954c85ceaf37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4179d2225147aa72a656ca1afe21e7379506025d5d8e1da52a05954c85ceaf37
SHA3-384 hash: 463d09d18e6dda0ece10739e56f36bfe373a4534147b0a04b979e3218a7622ba75b2abdfb4345408321c93a96650add1
SHA1 hash: fc6859e8a4c16338702148f6c6e35bd9b35a6bfb
MD5 hash: afd5dddfff1a0d85a3ce8d8b0d99c47e
humanhash: apart-dakota-oregon-charlie
File name:ABU.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:552'960 bytes
First seen:2020-09-25 16:17:34 UTC
Last seen:2020-09-25 16:38:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:DtfFmV5WtDvDwCEkzCs3oA3DEcR0UUhK:SyvDw/2Cs3ogD90hK
Threatray 1'082 similar samples on MalwareBazaar
TLSH 0FC4CF2436E44B15E0BD8B75087D1C6007F7B9069632FE2DFE9C64B90B3BF818A56B19
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65899/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Cml.31388.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475355
Signature
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290130 Sample: ABU.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Sigma detected: NanoCore 2->57 59 5 other signatures 2->59 8 ABU.exe 7 2->8         started        12 dhcpmon.exe 6 2->12         started        14 dhcpmon.exe 5 2->14         started        16 MSBuild.exe 4 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\tmpD66B.tmp, XML 8->47 dropped 49 C:\Users\user\AppData\...\KTYHdPgmxEKh.exe, PE32 8->49 dropped 63 Writes to foreign memory regions 8->63 65 Injects a PE file into a foreign processes 8->65 18 MSBuild.exe 1 16 8->18         started        23 schtasks.exe 1 8->23         started        25 MSBuild.exe 8->25         started        27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        signatures5 process6 dnsIp7 51 office13.servemp3.com 212.83.139.193, 2017, 49722 OnlineSASFR France 18->51 43 C:\Users\user\AppData\Roaming\...\run.dat, data 18->43 dropped 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        37 conhost.exe 23->37         started        file8 signatures9 process10 process11 39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4179d2225147aa72a656ca1afe21e7379506025d5d8e1da52a05954c85ceaf37/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 16:16:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=if45eisri6vhfjswzinp4iphg6kqmas5lwhb3jjkawkuzboov43q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
00c0720db185618e9ce9f91b819fcd1c2dfdc909fb4c3eeb224ad83d2551abb2
NanoCore
0a61e8b840644e0fb6739996a0d65da3b8b7f40478e96afbc889d9c7bf65a73f
NanoCore
1ea66d22cfe698b3035d5315288bc4425cff9f997b56f7df3fe72437e0fb28e4
NanoCore
58dea698e2c5b2a9310769bd735db939a1b6ed8cc80fdbc3aa5f0f6e25a074fc
NanoCore
6f135861ec43d793a4951f05009c146c70849534bd8486fa42be291b9820650d
NanoCore
760f1406027ffeb48694e12c4adb7842c216c0771eb08ca172c504078f2edace
NanoCore
9f1a4ce574ea5563c7fc71fe78fcb669dca9a6d88fcbe5ca8a4d6ce81e27afd8
NanoCore
bd7578edc93251752a605e3f4a2edc9bc3d4fabe255b98015f5679a5e8eef947
NanoCore
d11f8cd2987a718cc9d0bd9de289ee8d90555115cb9d03fdc8f0b930898e4a75
NanoCore
f432f50b14cb721f69809523f29c418ec34189bf8277e8881c276528bc9ba472
NanoCore
+ 1'072 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200925-hprkrap8lx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
office13.servemp3.com:2017
127.0.0.1:2017
Unpacked files
SH256 hash:
4179d2225147aa72a656ca1afe21e7379506025d5d8e1da52a05954c85ceaf37
MD5 hash:
afd5dddfff1a0d85a3ce8d8b0d99c47e
SHA1 hash:
fc6859e8a4c16338702148f6c6e35bd9b35a6bfb
Link:
https://www.unpac.me/results/7963423d-8b68-467f-ba92-3479e3f2e4ec/
SH256 hash:
291ec3dfa9f60778694f9953fa906442a3272c0b831b335158c865e5ea04e9ce
MD5 hash:
0b9ec71d3d64f4027b873126aff40adf
SHA1 hash:
423fd9a223334ad771964a94333250eb33d3ae12
Link:
https://www.unpac.me/results/7963423d-8b68-467f-ba92-3479e3f2e4ec/
SH256 hash:
b09f492049a9fb45a59daf2424bfdcf61622e27282352173e524e909330be91c
MD5 hash:
bf9a41e800fa6bbd5b732ade6e74788e
SHA1 hash:
4988cdb013367e15b65e8cf14f8a71f51aa56d2e
Link:
https://www.unpac.me/results/7963423d-8b68-467f-ba92-3479e3f2e4ec/
SH256 hash:
6721b363cefc37a5ed7972369d618a204c0b6b48758c1eb772ee70ba92c6e460
MD5 hash:
fbdaba1432b422f6290116420af74bd0
SHA1 hash:
7a9929663497cf1e16f5537c775f725db09f8e40
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/7963423d-8b68-467f-ba92-3479e3f2e4ec/
SH256 hash:
0578ccc053c343facf70e23dbe595721ee9e8963c60ad70a3c8e2c4b316a387f
MD5 hash:
353a3c0cd7e7adc84356e54cb9a94e39
SHA1 hash:
eadccb85194cb072b463ba6b0ea1373551d9089a
Link:
https://www.unpac.me/results/7963423d-8b68-467f-ba92-3479e3f2e4ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4179d2225147aa72a656ca1afe21e7379506025d5d8e1da52a05954c85ceaf37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/65899/
  
URLhaus
https://urlhaus.abuse.ch/url/412465/

Comments