MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47b90abe3f191652445e0ce55144246cbc251cd2648ccbab7ba9d7b428ec5a82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 6 File information Comments

SHA256 hash:	47b90abe3f191652445e0ce55144246cbc251cd2648ccbab7ba9d7b428ec5a82
SHA3-384 hash:	ee409012caaba7af26cc0316873fed1a469bbec3afe3ae45238efb75e638b5a51b6c92e1069c2ef9aecc1f3be3cf839b
SHA1 hash:	a2e63400fea5b43232f56656080bb34050624537
MD5 hash:	45e3a6e84cc04e355a6a80b80bb2d42e
humanhash:	cola-pennsylvania-three-pasta
File name:	45E3A6E84CC04E355A6A80B80BB2D42E.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	457'466 bytes
First seen:	2021-03-26 22:07:12 UTC
Last seen:	2021-03-26 23:37:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep	12288:v7Ffi+Eov3iGbUOC3EqQnX/KOC0xk88qh0sE:zZi+Eov3iGHC3GXSOC0iNW0sE
Threatray	2'000 similar samples on MalwareBazaar
TLSH	E3A402677480D2B1F879C536EB298FF09B263E238650218F37947F7AF5B2296D212447
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
104.37.1.32:7632

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
104.37.1.32:7632	https://threatfox.abuse.ch/ioc/5526/

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

45E3A6E84CC04E355A6A80B80BB2D42E.exe

Verdict:

Malicious activity

Analysis date:

2021-03-26 22:08:30 UTC

Tags:

rat nanocore trojan

Link:

https://app.any.run/tasks/0436a6a1-8d7b-4048-b95d-4f65ea645aaf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/127212/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.30053.6689.6662.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Unauthorized injection to a recently created process

Creating a window

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33c2e9c9-454b-4ab8-8900-ac84be3b882e

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/655579

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses dynamic DNS services

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/47b90abe3f191652445e0ce55144246cbc251cd2648ccbab7ba9d7b428ec5a82/

Threat name:

Win32.Trojan.Spynoon

Status:

Malicious

First seen:

2021-03-24 00:54:07 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i64qvpr7delferc6btsvcrbens6ckhgsmsgmxk33vhl3ikhmlkba._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392

NanoCore

4b13202d3051cdb4a77aea1f199b80e923c6071dc064246ae518a4ca57091965

NanoCore

52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63

NanoCore

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

NanoCore

9da4dcbaeacef69514b7576eb1a9af401d3dfd354a2d12e9a0e7b8b7e4db2703

NanoCore

b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed

NanoCore

d64a4482514be4bb53344b4712d850bb5ad28bd589a5cf3f4d2d966d2ea9ef65

NanoCore

ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135

NanoCore

fe437d43f7133fadd1f6737840d626ba30d61eb8e983072b16175dccd7f011c1

NanoCore

+ 1'990 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210326-eb5l4ps6b6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Loads dropped DLL

NanoCore

Malware Config

C2 Extraction:

justinalwhitedd554.duckdns.org:7632
paymentmaba.sinsincity.com:7632

Unpacked files

SH256 hash:

b25b431ba69f6fa894b0c26ba032cdfd33cdf01129d4cac94f5394ccabf4ca54

MD5 hash:

bfdd129cdafd9b3b0058a530b3d3f88d

SHA1 hash:

75be1d9315b02215865706ac546570e42815e595

Link:

https://www.unpac.me/results/9e13ef96-7bfe-404a-b1fa-fe81f4b0a921/

SH256 hash:

8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

MD5 hash:

d753362649aecd60ff434adf171a4e7f

SHA1 hash:

3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

Link:

https://www.unpac.me/results/9e13ef96-7bfe-404a-b1fa-fe81f4b0a921/

SH256 hash:

47b90abe3f191652445e0ce55144246cbc251cd2648ccbab7ba9d7b428ec5a82

MD5 hash:

45e3a6e84cc04e355a6a80b80bb2d42e

SHA1 hash:

a2e63400fea5b43232f56656080bb34050624537

Link:

https://www.unpac.me/results/9e13ef96-7bfe-404a-b1fa-fe81f4b0a921/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47b90abe3f191652445e0ce55144246cbc251cd2648ccbab7ba9d7b428ec5a82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127212/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample