MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46
SHA3-384 hash: b2c8945a4d795b3afdcf8f969a2865e442877b956b20f80ba95875c52a4c3c35402f79543dbc9fa0b2374117af81f0e2
SHA1 hash: 98e620725f4405b00afda47e445c424e4f5ee368
MD5 hash: b37008e83854fa3ebc61e75906d91480
humanhash: hydrogen-spring-robert-cup
File name:NEW_ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:579'584 bytes
First seen:2020-10-20 08:12:16 UTC
Last seen:2020-10-25 20:01:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:wC9A1GKZHNYPzodOWcdayxWN4GzzYtKztPpGrIdjvf:wWA1GUKzodOWcPxUzzRzDGrI
Threatray 1'173 similar samples on MalwareBazaar
TLSH 6FC4CE41A681D650DC3E5BF5E02C4DF043AB7C9AE675F19F2E897EE832B32D14A20947
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

From: PHAN NG?C H?NG <hr@wittyglobalexporters.pw>
Subject: Order 4500121785
Attachment: NEW_ORDER4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.arj (contains "NEW_ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73305/
Detection(s):
Sanesecurity.Rogue.0hr.20201020-1005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497235
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300784 Sample: NEW_ORDER#4500121785_PO_PRO... Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 13 other signatures 2->61 8 NEW_ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.exe 6 2->8         started        11 dhcpmon.exe 4 2->11         started        14 dhcpmon.exe 3 2->14         started        16 NEW_ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.exe 2 2->16         started        process3 file4 47 C:\Users\user\AppData\...\KreJmKPfrGZaR.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp39F5.tmp, XML 8->49 dropped 51 NEW_ORDER#45001217...rvices _Cos.exe.log, ASCII 8->51 dropped 18 NEW_ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Cos.exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        65 Injects a PE file into a foreign processes 11->65 25 schtasks.exe 11->25         started        27 dhcpmon.exe 11->27         started        signatures5 process6 dnsIp7 53 185.140.53.187, 4488, 49716 DAVID_CRAIGGG Sweden 18->53 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, data 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        file8 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 07:52:33 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jva25loi5qvgcjsbqx4etbkzlxve5xwhuda6bbtes7c7c3j575da._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6
NanoCore
1778a255b790b18f042384c6ebb3176d3f3f0fd172d313b07242ac42b000132e
NanoCore
686a21daa8d967cbd31e7672200f1c9eed2a7835ba8ef7cc3902c99005b292f4
NanoCore
7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
NanoCore
786e5ea538d875c628433d6cf45abd9559ede017b01b3fca8eb3bfc6dbc66f12
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
92623796596c411c3458b0ba32673dfa0bb1fcdb5a2b42c07b0a3b9d6b044a21
NanoCore
9279c6ca7db65d126d35f77f8dc93b46c0e6e68a5ba6da1789ae30c1959bb898
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
NanoCore
+ 1'163 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201020-d2dsbdjdwn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.140.53.187:4488
Unpacked files
SH256 hash:
4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46
MD5 hash:
b37008e83854fa3ebc61e75906d91480
SHA1 hash:
98e620725f4405b00afda47e445c424e4f5ee368
Link:
https://www.unpac.me/results/4a6db50f-7260-49e2-88eb-422045528117/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/4a6db50f-7260-49e2-88eb-422045528117/
SH256 hash:
b38104ccd0d9f9c4708234c4ed483e16e142cb15ade39aaa77f7891182920e77
MD5 hash:
f8918ca385637dfd5cd4ad7a882be192
SHA1 hash:
597678636df5f108f48589b39fd371d0f0c95550
Link:
https://www.unpac.me/results/4a6db50f-7260-49e2-88eb-422045528117/
SH256 hash:
054bb506261d931c09b36ab7cdae083e46b1c93710a1bce0cab8c6fbb4fe0c03
MD5 hash:
266aeb9244ca539c5a64193b160b85ed
SHA1 hash:
d372f7600d79ad8b456ed8d2ed8777b8066602ba
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/4a6db50f-7260-49e2-88eb-422045528117/
Parent samples :
3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24
4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 5db1afe52cb04992289ce8039aa5f4c89a6b44d9a91b387c52b58272ff34951d

NanoCore

Executable exe 4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46

(this sample)

  
Dropped by
MD5 494ed599e20b516d1e0b9d1b6893e9f3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73305/
  
Dropped by
SHA256 5db1afe52cb04992289ce8039aa5f4c89a6b44d9a91b387c52b58272ff34951d

Comments