MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241
SHA3-384 hash: d102e71a2b536769a8150d862ded7f74aed5651524881699d0f35f1ae61c6ac9816936bef47436ddcc818cada24c26b0
SHA1 hash: 02293f2365648267b71aa3a97d759bf15d5910f7
MD5 hash: 2c5f874113c9c43eb21e2833783754bd
humanhash: william-kitten-cold-ink
File name:quotation & Sample.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:614'400 bytes
First seen:2020-10-12 08:45:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wvP9T62IE38VsRdldX7pQYVg6AwWLWI+7JSmzWUDbCbXZlo:wv1Bv8KPX+Mghw/IizWkCbXTo
Threatray 1'125 similar samples on MalwareBazaar
TLSH EAD4F13127D8AB16D8BDB7BE4124208017F6E046D326E77D3CC541E906AEBD6CBA5B43
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.fore-mbaume.com
Sending IP: 45.95.169.145
From: Mashalla.Gogadi <info@fore-mbaume.com>
Subject: Quotation and Sample
Attachment: quotation Sample.r11 (contains "quotation & Sample.exe")

NanoCore RAT C2:
aligod.duckdns.org:6493 (192.169.69.25)

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70006/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488195
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected Nanocore Rat
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:45:28 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcsygw2ruurbmvxjjf6kk2bkdyrsx4nb3iefv6ixero4h6wrujaq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
515a2c1a3b19f636a6bf97af416d1d7c07e4780a51e4976e72bdb408f8379521
NanoCore
60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09
NanoCore
8275f526465d7b9d806b1be78d895d7f499044b456be1aec36b8cac8188890ac
NanoCore
894476db154bd989bb2969e4c749314058cd602d64071963972a432394340edb
NanoCore
8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4
NanoCore
94256300bb5d96beb391b09190f0fa3d3daf4965d3288655acccd42382edc0c4
NanoCore
a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9
NanoCore
c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef
NanoCore
e132699f63854eb3c66be165867f2cafc37d29a8a3a4ca3c4c6949ed42ddde95
NanoCore
f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80
NanoCore
+ 1'115 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/201012-6dnva5pnsx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
aligod.duckdns.org:6493
Unpacked files
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/737c42f9-87c4-4ef7-9787-f3e34e980a96/
SH256 hash:
48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241
MD5 hash:
2c5f874113c9c43eb21e2833783754bd
SHA1 hash:
02293f2365648267b71aa3a97d759bf15d5910f7
Link:
https://www.unpac.me/results/737c42f9-87c4-4ef7-9787-f3e34e980a96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 468ee9419d4dfd7d51aa935fe803552e247a7e661e5e153c2b18a8a9dc619670

NanoCore

Executable exe 48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241

(this sample)

  
Dropped by
MD5 fd974f1aa7e4d7ae026f48b392de53fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70006/
  
Dropped by
SHA256 468ee9419d4dfd7d51aa935fe803552e247a7e661e5e153c2b18a8a9dc619670

Comments