MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ade4caf6c4b04143763c6fd2243d9d6d04ba39ae082a9034fce9fae0a219c6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	4ade4caf6c4b04143763c6fd2243d9d6d04ba39ae082a9034fce9fae0a219c6b
SHA3-384 hash:	e79c44f8d233baaadd10994da581ee9cc3516625c0e4dfa72983d45a0f45e87618fe6d248caf96cdeeff4a903c870073
SHA1 hash:	dc25942ee4f7715550e7498c9b2a7d6de2900020
MD5 hash:	ebab60f64d8ab1c9abed1f8f6bcdfba3
humanhash:	equal-alabama-jig-juliet
File name:	Invoice.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	255'354 bytes
First seen:	2021-03-30 12:26:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:FAP1EnCld6HgXMlUSCS8w/6uhGhgGDbogwdc01BA6c:ytnMlUaH3ojH4I6c
Threatray	1'857 similar samples on MalwareBazaar
TLSH	0A4412043AF158BBDA7B2A3118739A3FE3FAE2040333552367392F645E6324755A918F
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
107.173.63.227:53896

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
107.173.63.227:53896	https://threatfox.abuse.ch/ioc/6063/

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice.exe

Verdict:

Malicious activity

Analysis date:

2021-03-30 12:36:02 UTC

Tags:

installer trojan nanocore rat

Link:

https://app.any.run/tasks/8d34bcff-a451-49c1-b758-b014dfea7dbf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/128003/

Detection(s):

Win.Trojan.Generic-9848208-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Creating a window

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/658353

Signature

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ade4caf6c4b04143763c6fd2243d9d6d04ba39ae082a9034fce9fae0a219c6b/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-03-30 12:26:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

8 of 48 (16.67%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jlpezl3mjmcbin3dy36seq6z23iexi424cbksa2pz2p24crbtrvq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392

NanoCore

4b13202d3051cdb4a77aea1f199b80e923c6071dc064246ae518a4ca57091965

NanoCore

52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63

NanoCore

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

NanoCore

9da4dcbaeacef69514b7576eb1a9af401d3dfd354a2d12e9a0e7b8b7e4db2703

NanoCore

b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed

NanoCore

d64a4482514be4bb53344b4712d850bb5ad28bd589a5cf3f4d2d966d2ea9ef65

NanoCore

ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135

NanoCore

fe437d43f7133fadd1f6737840d626ba30d61eb8e983072b16175dccd7f011c1

NanoCore

+ 1'847 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210330-mzl4emvd36/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Loads dropped DLL

NanoCore

Malware Config

C2 Extraction:

Unpacked files

SH256 hash:

1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

MD5 hash:

eef9e469e8a30717974499f277d97e2a

SHA1 hash:

2d33c25984ebd9116beeb55cdde4c5c86c023e5d

Link:

https://www.unpac.me/results/4fa46e2b-c59b-42fa-91ec-c2e144c81a42/

SH256 hash:

1b9a4962fc0b62dea3901b2621501a1b1a5f80bbc013cda01ceaceef53108c75

MD5 hash:

1b978ba27a54264108d5276512b2c112

SHA1 hash:

841a5b7d3966db10585508500614280fc5da016d

Link:

https://www.unpac.me/results/4fa46e2b-c59b-42fa-91ec-c2e144c81a42/

SH256 hash:

4ade4caf6c4b04143763c6fd2243d9d6d04ba39ae082a9034fce9fae0a219c6b

MD5 hash:

ebab60f64d8ab1c9abed1f8f6bcdfba3

SHA1 hash:

dc25942ee4f7715550e7498c9b2a7d6de2900020

Link:

https://www.unpac.me/results/4fa46e2b-c59b-42fa-91ec-c2e144c81a42/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ade4caf6c4b04143763c6fd2243d9d6d04ba39ae082a9034fce9fae0a219c6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/128003/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample