MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
SHA3-384 hash: 1b9834654e8c435d55498643f6dc1ec51304ba1aa258c00bd07f239da4781d555432c9fbed3e7c9b7006e298d333dc34
SHA1 hash: ff3df18a4b458bee44583ede9dde5827d29ac48f
MD5 hash: 4c41b144dfc02ab7bd97740af3858fdb
humanhash: dakota-early-speaker-sad
File name:TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633·pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:315'480 bytes
First seen:2023-02-22 12:34:11 UTC
Last seen:2023-02-22 14:42:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep 6144:DicFyL/JUed7RUf+tD2Bsf0bEluyCOvC92piC085EDswlhhZ:2P/JpdRTD2Bscb4uyxv62kC0iEXhhZ
Threatray 427 similar samples on MalwareBazaar
TLSH T108641240A6A0D4B7FE915A3169272F278BF5EE052421238757D6AA7CBC333D2430BB75
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 69dcba23b392dc79 (3 x AveMariaRAT, 1 x NanoCore, 1 x GuLoader)
Reporter lowmal3
Tags:exe NanoCore signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-09T23:05:42Z
Valid to:2025-10-08T23:05:42Z
Serial number: 34098f8c4431bd34e9846aecda92682862638ea1
Thumbprint Algorithm:SHA256
Thumbprint: 4eb9387eb72aa7f50f3ba647dc46a68f5663c83a25d966f278659fc87d672d9d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 12:35:09 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/08e71992-f923-4416-b948-8a1b1b794743

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369030/
Detection(s):
SecuriteInfo.com.FileRepMalware.21260.27809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72238/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f60bf79dd875fc912715f2/reports/86ec0ad5-69f1-4aca-bdb4-ef9b3f53560e/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ebec2627-6451-41a0-8618-a42da1bfbbc5
Result
Threat name:
Nanocore, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180557
Signature
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11645 Sample: TNOR_CYCLE_C2_220006954787_... Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 27 googlehosted.l.googleusercontent.com 2->27 29 drive.google.com 2->29 31 doc-0g-ac-docs.googleusercontent.com 2->31 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 7 other signatures 2->45 8 TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633#U00b7pdf.exe 27 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\...\System.dll, PE32 8->21 dropped 47 Writes to foreign memory regions 8->47 49 Tries to detect Any.run 8->49 12 CasPol.exe 1 20 8->12         started        17 CasPol.exe 8->17         started        signatures6 process7 dnsIp8 33 7fxcmft-olcmjfjxdk.duckdns.org 37.0.14.208, 34842, 49838 WKD-ASIE Netherlands 12->33 35 drive.google.com 142.250.186.46, 443, 49836 GOOGLEUS United States 12->35 37 googlehosted.l.googleusercontent.com 172.217.18.1, 443, 49837 GOOGLEUS United States 12->37 23 C:\Users\user\AppData\...\Kbenhavneres.exe, PE32 12->23 dropped 25 C:\Users\user\AppData\Roaming\...\run.dat, compacted 12->25 dropped 51 Tries to detect Any.run 12->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->53 19 conhost.exe 12->19         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89/
Threat name:
Win32.Downloader.Minix
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 12:35:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 25 (48.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4xj3wn6thwmtkm5x3iqcresxjzguybyuhq3ozrbajwzwozh72eq._file
Verdict:
unknown
Similar samples:
10a21f1899dd0e83ead2011c4638017bc4723a06be0c2058a9f3214da4974a8d
NanoCore
1a090934724f507a62abdf0d9b07f477cc504d50b469f52797df17fc8739549a
NanoCore
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
NanoCore
2c343836c7e44fa32816621f6903399cade80b4bebc2253ff9a6bb25bdb88106
NanoCore
334911b248ad837e24303037e3733e61b119998dc1e1ce8bf7a444754a4cda01
NanoCore
4b1e07f367e2c29e90cad5cd928dc1572dbcedfb04cd722fba01c67a7d349361
NanoCore
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
NanoCore
ae82bc9492d5d94d7d5e28db012676037f48a716aba72304055f54158013aedc
NanoCore
b076cbf14c6f0a9bbb4aaaf8242622cefb6bccdf2aef9e130b48a0552bb5016f
NanoCore
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
NanoCore
+ 417 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230222-psby6abd32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
7fxcmft-olcmjfjxdk.duckdns.org:34842
127.0.0.1:34842
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/8bcebb4a-7d42-449c-b907-bb6af6b2f738/
SH256 hash:
472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
MD5 hash:
4c41b144dfc02ab7bd97740af3858fdb
SHA1 hash:
ff3df18a4b458bee44583ede9dde5827d29ac48f
Link:
https://www.unpac.me/results/8bcebb4a-7d42-449c-b907-bb6af6b2f738/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369030/

Comments