MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
SHA3-384 hash: f3b31d057e62637d68a1fb39db6b0656d020a2a7c882b759f9b707b429226f03d1824fd7ef816ffa910ccf72302ef298
SHA1 hash: 7c827e49985ce226a9c0945d11a6e91e1316c46a
MD5 hash: d221726817afaef22689053158d00e2f
humanhash: michigan-maryland-helium-mirror
File name:Scan0293994994995docs.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:98'304 bytes
First seen:2021-08-26 14:04:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff24a027dfc3b9e5934ec374a09b35a4 (1 x NanoCore)
ssdeep 1536:7xn4ScHfn1b6lVQ9No5X/hocTTusBsIxIp/tQpBF:1n4Nnd3o5acHBIp/O
Threatray 4'459 similar samples on MalwareBazaar
TLSH T160A36D926620E462E4654E72C9B647F4172DEF27E8118FCF55247FA8F834AC3A4B121F
dhash icon d2fefefefcf8d2c3 (2 x NanoCore, 1 x GuLoader)
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan0293994994995docs.exe
Verdict:
No threats detected
Analysis date:
2021-08-26 14:09:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1fd6c9b0-28f9-4378-94b0-74e446575442

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182679/
Detection(s):
Win.Dropper.Mucc-9888638-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3b6069d-a5f1-458f-b04a-ed0dbc7f7fa6
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839824
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472259 Sample: Scan0293994994995docs.exe Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 42 parqan.hopto.org 2->42 44 northside.hopto.org 2->44 46 2 other IPs or domains 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 6 other signatures 2->54 8 Scan0293994994995docs.exe 2->8         started        11 SUBSET.exe 2->11         started        13 dhcpmon.exe 4 2->13         started        15 SUBSET.exe 2->15         started        signatures3 process4 signatures5 62 Writes to foreign memory regions 8->62 64 Tries to detect Any.run 8->64 66 Hides threads from debuggers 8->66 17 RegAsm.exe 2 19 8->17         started        68 Multi AV Scanner detection for dropped file 11->68 22 RegAsm.exe 1 11->22         started        24 RegAsm.exe 11->24         started        26 conhost.exe 13->26         started        process6 dnsIp7 36 northside.hopto.org 23.105.131.236, 49723, 49727, 49728 LEASEWEB-USA-NYC-11US United States 17->36 38 parqan.hopto.org 17->38 40 2 other IPs or domains 17->40 30 C:\Users\user\bltedyr\SUBSET.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 17->32 dropped 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->34 dropped 56 Tries to detect Any.run 17->56 58 Hides threads from debuggers 17->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 28 conhost.exe 17->28         started        file8 signatures9 process10
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 16:33:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
17a00793ae886c9cae84cba40332249374010e64bd168e907d9a16076479ff29
NanoCore
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
NanoCore
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
NanoCore
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
NanoCore
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
NanoCore
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
NanoCore
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
NanoCore
9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602
NanoCore
a9c312936a88ac3629aa8fb5c4d6b5fe5fcad17319b825bf4b383fd807cb3f51
NanoCore
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
NanoCore
+ 4'449 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210826-p9h51dv7zs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
northside.hopto.org:9497
parqan.hopto.org:9497
Unpacked files
SH256 hash:
49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
MD5 hash:
d221726817afaef22689053158d00e2f
SHA1 hash:
7c827e49985ce226a9c0945d11a6e91e1316c46a
Link:
https://www.unpac.me/results/88d47f23-114a-4fb1-a959-2418ca1d0dd2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/49de4524bd74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/182679/

Comments