MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d8f4f460acbe2df239467474b11f18b6f2927537227a5110a6780f44ed79f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d8f4f460acbe2df239467474b11f18b6f2927537227a5110a6780f44ed79f5f
SHA3-384 hash: b0c6e0c576d30b51ada9921bb53519da35930f284bb7f8d28b1608f37d5f5361437090528a981f054509a419823443bd
SHA1 hash: de70dc4b44f36f6c5afd938274726c658b2ca129
MD5 hash: ae757796177f9e12de5c5022f296ecff
humanhash: earth-quiet-stairway-equal
File name:ae757796177f9e12de5c5022f296ecff.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'175'280 bytes
First seen:2020-07-22 05:13:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dac775e30ac330b097f7d80b3fb4a6d0 (1 x AveMariaRAT, 1 x NanoCore)
ssdeep 24576:QuvbJE41YIyirB+s9R1lhUBaWTjc6vjFb2+q1i/ZVd5imb:XJEpviN+s9RD2BaWkmFan8hb
Threatray 1'101 similar samples on MalwareBazaar
TLSH 5845D0035E0BEA4AF40E6B77912A42E391CD9CFE944128137550BF6F74B06872A6F53B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2:
ufok.duckdns.org:24980 (54.37.36.116)

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30700/
Detection(s):
SecuriteInfo.com.LuheMalumA.13912.29549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394280
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249510 Sample: PHoL7ffm47.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 7 Player.exe.exe 2->7         started        10 Player.exe.exe 2->10         started        12 PHoL7ffm47.exe 1 2 2->12         started        15 2 other processes 2->15 process3 file4 56 Sample uses process hollowing technique 7->56 17 RegSvcs.exe 1 10 7->17         started        58 Multi AV Scanner detection for dropped file 10->58 60 Machine Learning detection for dropped file 10->60 22 RegSvcs.exe 10->22         started        38 C:\Users\user\AppData\...\Player.exe.exe, PE32 12->38 dropped 62 Creates multiple autostart registry keys 12->62 24 RegSvcs.exe 12->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        signatures5 process6 dnsIp7 40 ufok.duckdns.org 192.169.69.25, 24980, 49737, 49738 WOWUS United States 17->40 42 54.37.36.116, 24980, 49734, 49735 OVHFR France 17->42 34 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 17->34 dropped 36 C:\Users\user\AppData\Roaming\...\wpasv.exe, PE32 17->36 dropped 52 Creates multiple autostart registry keys 17->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->54 30 WerFault.exe 22->30         started        32 WerFault.exe 24->32         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d8f4f460acbe2df239467474b11f18b6f2927537227a5110a6780f44ed79f5f/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 23:41:58 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwhu6rqkzprn6i4um5duweprrnxssj2toit2keikm6apitwxt5pq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
01956570f3d4747162a5b0c381bd39c843ac0a50c9355cecc621cfe9ae10a6df
NanoCore
39dc3a88f6948d7740c6260cdabb5affccf9bcf4da744c4cc44cf674950c7c49
NanoCore
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
NanoCore
41f79628a7ff72d611f593286f5b70a51c72f8359e6600535b1b3e9772fd7c0c
NanoCore
523e47e96043b4e5ff372230e6fbdf6a56f6e8fcf95fcd94d4a976d95471e54c
NanoCore
525ad168dd1152a5dd477791b01b3d6edf0ddf296b72ef04b96a79f1e2a1e499
NanoCore
81ce98988c6bc711bb7e96cb59366594d75a19766339cd87b77a0192f0639809
NanoCore
af7b5b39405065f105a0bf0f53578061adcd58a5861bb38827dd0f62df4f57ed
NanoCore
b59de3e185784023c3bfa211f874ab50b74083e6d0a83174a8c42d74099429a4
NanoCore
c9522b2123a5c1d678125fecafc722f82d46c099f6c1cbcca6b95c2911130927
NanoCore
+ 1'091 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200722-lghe9f3stx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
54.37.36.116:24980
ufok.duckdns.org:24980
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d8f4f460acbe2df239467474b11f18b6f2927537227a5110a6780f44ed79f5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 4d8f4f460acbe2df239467474b11f18b6f2927537227a5110a6780f44ed79f5f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/416190/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30700/

Comments