MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4df1395b3efc60787e9fbcc5708459e77c4f45941845a8ae97c1d70c9e046a95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	4df1395b3efc60787e9fbcc5708459e77c4f45941845a8ae97c1d70c9e046a95
SHA3-384 hash:	ab79c6c897825af8ab7de88892ee66ab6484496b264f873d364c0284bdd1e594f2c4aef64b2c8957fe47ee80798d327e
SHA1 hash:	0462c3f25808fb0fc65c9740642ede9cfa2ec5b0
MD5 hash:	d7bc0047e94572b46d5d53a52cc0b6ca
humanhash:	alpha-spring-river-uranus
File name:	4df1395b3efc60787e9fbcc5708459e77c4f45941845a8ae97c1d70c9e046a95
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	410'112 bytes
First seen:	2020-07-06 06:57:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:nypO0keci9OBzuqmHTtJblUKgvcd1z462zhZDauj8c4QTh89bv7meO:uOLZIJHTt7UdUrErhgdbQTh8
Threatray	1'181 similar samples on MalwareBazaar
TLSH	7294E031321DBF58E568FA34612251020C7A7E775617E75D3C8F34BC1CF2B898A66EA2
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/20985/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file in the %AppData% subdirectories

DNS request

Connection attempt to an infection source

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/4df1395b3efc60787e9fbcc5708459e77c4f45941845a8ae97c1d70c9e046a95/

Threat name:

ByteCode-MSIL.Trojan.Avemariarat

Status:

Malicious

First seen:

2020-07-03 16:33:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jxytswz67rqhq7u7xtcxbbcz456e6rmudbc2rluxyhlqzhqenkkq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

7a994f27238df40178431508778e3a655cf73c5fac2d1d7166cb77c71c7b5710

NanoCore

95c37518f5a88778d1faad771fcbdc5d1a0e816b9e9b8cd7763a258f5445d79a

NanoCore

a8f1b181c37984cf41eb816ec9375d0ef94a5d6dd17f846612b9c95f4129bdc4

NanoCore

b31c888c6d36ec26e3c9d3ebd99c56abc17f860d008700e3e7687007bd09cfcf

NanoCore

c46f6d72a258354c5267436ea0db9cd3f12cc1595a0d9072d904b0b15731f092

NanoCore

d0656a37a28efcb2d601e3684d03b3f61048e62b2338f1d0bbeb374d3858f6b2

NanoCore

d7980c1e8ee9c38009cacdbc00f12940564aa7b33bc35ccc67510aeb57b75e2e

NanoCore

efaa9091d5aa1f64ae3b3c1258e90d5bb346e25e75ae3c4530ea9346380e2158

NanoCore

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

NanoCore

+ 1'171 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200706-fcge8fsca2/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

logs1234.duckdns.org:3303

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample