MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a16c2fac901e39b8d73bd18aee3a42b510c0e5a7984bb139584299b7356d16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	41a16c2fac901e39b8d73bd18aee3a42b510c0e5a7984bb139584299b7356d16
SHA3-384 hash:	5078d3f21c75133f2030b5af272058a01a21d39233f98af93d98913f43a567effb0deb6a3015da34d6f3d5413c822365
SHA1 hash:	d6f4dd99aaa57c0c75ff10e1570b013fdc3382ac
MD5 hash:	b343187fe97a819309b12e5b87d595cf
humanhash:	red-network-finch-fifteen
File name:	Ricevuta di notifica del corriere Pelican Express.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	417'280 bytes
First seen:	2020-08-05 07:49:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:roiUSswKX0zsEiHnXzagM8QieCey5efX:MimbXU3iHnDXM8QieVy
Threatray	1'100 similar samples on MalwareBazaar
TLSH	3294E01C76A4A65DF1BA1E3F1C3149838E26F85FDE61D24B69B91128007E68CFC72F61
Reporter	abuse_ch
Tags:	exe geo ITA NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

From: Corriere espresso Pelican <info@patgon-cl.com>
Subject: Ricevuta di notifica del corriere Pelican Express
Attachment: Ricevuta di notifica del corriere Pelican Express.r11 (contains "Ricevuta di notifica del corriere Pelican Express.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39116/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

DNS request

Sending a TCP request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/410413

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Detected Nanocore Rat

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/41a16c2fac901e39b8d73bd18aee3a42b510c0e5a7984bb139584299b7356d16/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-05 07:51:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=igqwyl5msapdtogxhpiyv3r2ik2rbqhfu6mexmjzlbbjtnzvnula._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

55a85320a226d58c12355a5836a77fd17fd270fefa30612da9e6a79b9f17b222

NanoCore

756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4

NanoCore

91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680

NanoCore

b3278c2b73f1b45d1d440b080dd563191b03794243f1ded305ff62b288accd75

NanoCore

b8d17b00725d58556c468f413f0825f5ac4fe19734898645d9db2f2f0be5e1af

NanoCore

be240aed297970b0e97f46ce8964784645c8bfeb7b4ffc451ab7857b7df8438f

NanoCore

c2c3851dfab3b0b959145307759d5ed1cb64d92b7e0af87b79f0df0ee7b71e38

NanoCore

f80127513813eeb1bc2dd4aa089ad41c4bf9eb6cfdbd4aaf8490486d3eeca613

NanoCore

f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a

NanoCore

+ 1'090 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200805-6j6rylcp9s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

aligod.duckdns.org:6493

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41a16c2fac901e39b8d73bd18aee3a42b510c0e5a7984bb139584299b7356d16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/