MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
SHA3-384 hash: a5d907fc2b1773142a29a85f0226d81e58dc03a4f184632376d4e2522d3cc5e7f3c4bbd630f139f85823a505435eaf0b
SHA1 hash: c03e4341baed5c923602ba7618fcf5dda49ee6d8
MD5 hash: 63a5e0cd270d6d0ecf15983fa7d0dfa9
humanhash: may-high-ack-five
File name:purchase order.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:794'112 bytes
First seen:2020-07-30 05:04:40 UTC
Last seen:2020-07-30 05:56:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9049d2d9e4b4ee0c20616207952aadc3 (6 x AgentTesla, 2 x NanoCore, 2 x Loki)
ssdeep 12288:LmHWniVDj9UfMWyW3P5eizRP6wP1HUzCERb4tVWVEi7YZhIgm+1Sg2Pd:LliPUEY5ei97FU/bzVEzIgm+1Sg2Pd
Threatray 2'670 similar samples on MalwareBazaar
TLSH 33F4AE22A2D04933D167173C9C0B5764A93DBE102B6B9A477BE61CCC5F39681F83E297
Reporter theDark3d
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35271/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403142
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253799 Sample: purchase order.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Sigma detected: NanoCore 2->107 109 10 other signatures 2->109 13 purchase order.exe 2->13         started        16 dhcpmon.exe 2->16         started        18 wscript.exe 1 2->18         started        process3 signatures4 135 Writes to foreign memory regions 13->135 137 Allocates memory in foreign processes 13->137 139 Queues an APC in another process (thread injection) 13->139 20 notepad.exe 5 13->20         started        24 notepad.exe 16->24         started        26 document.exe 18->26         started        process5 file6 81 C:\Users\user\AppData\...\document.exe, PE32 20->81 dropped 83 C:\Users\...\document.exe:Zone.Identifier, ASCII 20->83 dropped 113 Creates files in alternative data streams (ADS) 20->113 115 Drops VBS files to the startup folder 20->115 28 document.exe 20->28         started        85 C:\Users\user\AppData\Roaming\...\windows.vbs, ASCII 24->85 dropped 31 document.exe 24->31         started        117 Maps a DLL or memory area into another process 26->117 33 document.exe 26->33         started        35 document.exe 3 26->35         started        signatures7 process8 file9 125 Detected unpacking (changes PE section rights) 28->125 127 Detected unpacking (creates a PE file in dynamic memory) 28->127 129 Detected unpacking (overwrites its own PE header) 28->129 133 2 other signatures 28->133 38 document.exe 1 12 28->38         started        43 document.exe 28->43         started        131 Maps a DLL or memory area into another process 31->131 45 document.exe 31->45         started        47 document.exe 31->47         started        49 document.exe 33->49         started        79 C:\Users\user\AppData\...\document.exe.log, ASCII 35->79 dropped signatures10 process11 dnsIp12 93 kozatkr.myq-see.com 79.134.225.50, 49726, 49727, 49731 FINK-TELECOM-SERVICESCH Switzerland 38->93 95 127.0.0.1 unknown unknown 38->95 97 192.168.2.1 unknown unknown 38->97 87 C:\Program Files (x86)\...\dhcpmon.exe, PE32 38->87 dropped 89 C:\Users\user\AppData\Roaming\...\run.dat, data 38->89 dropped 91 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 38->91 dropped 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->119 51 document.exe 45->51         started        121 Maps a DLL or memory area into another process 49->121 54 document.exe 49->54         started        56 document.exe 49->56         started        file13 signatures14 process15 signatures16 111 Maps a DLL or memory area into another process 51->111 58 document.exe 51->58         started        60 document.exe 51->60         started        62 document.exe 54->62         started        process17 signatures18 65 document.exe 58->65         started        141 Maps a DLL or memory area into another process 62->141 68 document.exe 62->68         started        70 document.exe 62->70         started        process19 signatures20 99 Maps a DLL or memory area into another process 65->99 101 Sample uses process hollowing technique 65->101 72 document.exe 68->72         started        process21 signatures22 123 Maps a DLL or memory area into another process 72->123 75 document.exe 72->75         started        77 document.exe 72->77         started        process23
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 05:06:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jd3gm576ypdng42miopntmx5fhfsnikv5dglfdzqygzlmwsipdma._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
175bdb11453e65abc7c2d64a37b69d0bea771353c4eefbaa0d3ffb649292e2fc
NanoCore
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
3bcbadf163bd228438e9094d4be5b79639e501e55bcff4c879ec8fe4ccb71703
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680
NanoCore
7259675aad35bed593ec88a0f96263e182eaac06043f25df3362eb29186d2cd1
NanoCore
a97663c4fdf7f3cdf524888ec2952bb015e77484d50627e185e67c8846bd8660
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
ff5fb544251818945ba7b14fb0602d71188133caf7742871318291c91b474013
NanoCore
+ 2'660 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200730-mjzfcjg5q2/
Behaviour
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
C2 Extraction:
kozatkr.myq-see.com:6666
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35271/

Comments