MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 11 File information Comments

SHA256 hash: 52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
SHA3-384 hash: da4c4c96b593ef2e6c23ecef9c5e9ba123c5db14a449e4aa2c7660cc519691bf86981f23851f5808056acbd56b5d9fc6
SHA1 hash: 94393bb0ad4eeb3f818e34f57395642920920bb8
MD5 hash: 0e66d7d3cea736262ae210aaaa00eeb5
humanhash: fourteen-oklahoma-vermont-earth
File name:ozT6Kif37P9Trrb.exe
Download: download sample
Signature NanoCore
File size:574'464 bytes
First seen:2022-01-14 13:02:29 UTC
Last seen:2022-01-14 14:47:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'879 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 12288:DK777777777777N7lPB33pnS8tMtoOLHJfCJKlxqoYQ:DK777777777777llxpS8tMtA8lxqo9
Threatray 3'651 similar samples on MalwareBazaar
TLSH T133C4F14F765A9632CEF15A3408A184509F79AC5F6122C2063CFCFEAA38F37D4524E6D6
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
NanoCore C2:
103.153.78.234:8951

Intelligence


File Origin
# of uploads :
2
# of downloads :
318
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ozT6Kif37P9Trrb.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 13:04:01 UTC
Tags:
rat nanocore trojan

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
–°reating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: NanoCore
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553225 Sample: ozT6Kif37P9Trrb.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 58 obeyice4rm392.bounceme.net 2->58 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 15 other signatures 2->70 9 ozT6Kif37P9Trrb.exe 7 2->9         started        13 RegSvcs.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\cVaRnofAle.exe, PE32 9->50 dropped 52 C:\Users\...\cVaRnofAle.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmp1CD0.tmp, XML 9->54 dropped 56 C:\Users\user\...\ozT6Kif37P9Trrb.exe.log, ASCII 9->56 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Writes to foreign memory regions 9->76 78 Adds a directory exclusion to Windows Defender 9->78 80 Injects a PE file into a foreign processes 9->80 19 RegSvcs.exe 1 15 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 60 obeyice4rm392.bounceme.net 103.153.78.234, 49766, 49769, 49770 TWIDC-AS-APTWIDCLimitedHK unknown 19->60 62 192.168.2.1 unknown unknown 19->62 46 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->72 34 schtasks.exe 1 19->34         started        36 schtasks.exe 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 process12 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started       
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-01-14 13:03:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
obeyice4rm392.bounceme.net:8951
127.0.0.1:8951
Unpacked files
SH256 hash:
f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec
MD5 hash:
42006852619847f368bc4062849cd6dc
SHA1 hash:
ba6edc3a5aba8eac15b6a30e1407cdae80b2481d
SH256 hash:
01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
MD5 hash:
9c8242440c47a4f1ce2e47df3c3ddd28
SHA1 hash:
874f3caf663265f7dd18fb565d91b7d915031251
SH256 hash:
61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
MD5 hash:
bdc8945f1d799c845408522e372d1dbd
SHA1 hash:
874b7c3c97cc5b13b9dd172fec5a54bc1f258005
SH256 hash:
6d6255e43f8c15ac35d75832b1b8ac911010720326488ca424eee3e0566817c6
MD5 hash:
6fbeffefb041ca0248c2873f8f170127
SHA1 hash:
dc99780c9888bd4855c7fb8c75e95921ecd6a96a
SH256 hash:
deafbf4e45badf98e914fdfd8beca38c19dbaf77d2969af599c814f703a3bb16
MD5 hash:
1d5d387d0cec9b077fd3ec52ddf3024d
SHA1 hash:
c5fe9efb528f81d7f2508456ee8f2760c2db9ab6
Detections:
win_nanocore_w0
SH256 hash:
67bc8e36e7c1599873296b1d82813470d0a39adab82365b02784a744a2991f3d
MD5 hash:
e1bb2cc5a1e6ac7c36c836fa741148f2
SHA1 hash:
637ab7935449e9818ded148fd7d705d5de57e1f1
SH256 hash:
52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
MD5 hash:
0e66d7d3cea736262ae210aaaa00eeb5
SHA1 hash:
94393bb0ad4eeb3f818e34f57395642920920bb8

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_NanoCore
Author:abuse.ch
Rule name:MALWARE_Win_NanoCore
Author:ditekSHen
Description:Detects NanoCore
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Author:Kevin Breen <kevin@techanarchy.net>

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.153.78.234:8951 https://threatfox.abuse.ch/ioc/295235

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments