MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f
SHA3-384 hash: 11a154e75f36084a4e8de98ee8f868dc7daf51f597d974825a28b4c41439843adb97c48e9d521766fd73126bffe3f3cd
SHA1 hash: 50a8fab9e58926e4ad16320e680fdffb93421b64
MD5 hash: ee2a62cc8929d4e237de6b33b32dd136
humanhash: fix-south-dakota-robert
File name:R2ERChVU88T7UYn.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:607'744 bytes
First seen:2020-10-15 13:18:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BDhdBO92E6xnWNvQDO8OXXz7V4TuOC9g2cxFY5k:Bo8EYWpQC8Yp4K1
Threatray 1'148 similar samples on MalwareBazaar
TLSH 28D4F12977C0BB8FD23F8F728A615C1097E0A5AB8707C347ADD310DC588E699CB56663
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71425/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492541
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298787 Sample: R2ERChVU88T7UYn.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 16 other signatures 2->52 7 R2ERChVU88T7UYn.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 28 C:\Users\user\AppData\...\jNwuhxdjagB.exe, PE32 7->28 dropped 30 C:\Users\...\jNwuhxdjagB.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmpA9EB.tmp, XML 7->32 dropped 34 C:\Users\user\...\R2ERChVU88T7UYn.exe.log, ASCII 7->34 dropped 54 Detected unpacking (changes PE section rights) 7->54 56 Detected unpacking (overwrites its own PE header) 7->56 13 R2ERChVU88T7UYn.exe 1 9 7->13         started        18 schtasks.exe 1 7->18         started        58 Injects a PE file into a foreign processes 11->58 20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        signatures5 process6 dnsIp7 42 185.231.113.86, 1604 PTPEU European Union 13->42 44 mavennezeliora123.ddns.net 185.140.53.68, 1604 DAVID_CRAIGGG Sweden 13->44 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, data 13->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->40 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->60 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 09:46:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktpov3wwglg66nf2m7d3q6pizcfnlumwoxgwtzqt6zr6tpftyupq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
16a89bdfcb47975f86cf09cca2ae8a67224cc37cfd69264f9a55feed1cc83c48
NanoCore
24683ff5c436b2b56e96268ba4c591e8f80e9995623a0a1f6e6c7adf5bd2a62c
NanoCore
602b19f259171ac577fb9d67952442c71809b4b3977484115883d7ed6be067a3
NanoCore
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
NanoCore
6aa3059db34fb36662907183cf3780aac4b4c00e663f261a59aeebc00c03a5c0
NanoCore
a4daf793ab3c51609ba2667a64649b17de7c68aefa387b3dd7c3ac01b5db22ae
NanoCore
a9352a90a15c864ae05d1d1138aff00094883dc44afffc471e837e46fe3eb24e
NanoCore
d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a
NanoCore
e301fd976c111fd0f209f4cb6e8bd267bd5eb242707ad286b217a5d98032aad6
NanoCore
ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984
NanoCore
+ 1'138 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201015-2kxkh81ftn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.231.113.86:1604
mavennezeliora123.ddns.net:1604
Unpacked files
SH256 hash:
54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f
MD5 hash:
ee2a62cc8929d4e237de6b33b32dd136
SHA1 hash:
50a8fab9e58926e4ad16320e680fdffb93421b64
Link:
https://www.unpac.me/results/30db665a-80c4-4a81-86f3-ad7949d54cb2/
SH256 hash:
338282731b81e3599b7c037ebfc4169c7db2aaa940665cefa0b326e4f3fbb88b
MD5 hash:
94e9d3ff8a57fca228215fff922d0e90
SHA1 hash:
4c4f400d1b9074313c15e196af0196accf7bc0b5
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/30db665a-80c4-4a81-86f3-ad7949d54cb2/
SH256 hash:
100ac7a5210fc2395dfa25110d63f8ef9dce54a9d97ab333acce553e56ab549a
MD5 hash:
4e58fc9f7832fdb66a8fc3fd230ac6e5
SHA1 hash:
b095ff78c5a1e83566308d59a04cf951f6d7c4a8
Link:
https://www.unpac.me/results/30db665a-80c4-4a81-86f3-ad7949d54cb2/
SH256 hash:
3f5634ebaadc5252b24933ae261eeb1840d6bb4aa97cb8dfe211d574ca1871bd
MD5 hash:
f9ebd431bd9e2995f0f6ecbacf8a783e
SHA1 hash:
c6d195b3e18d2b4922a879852fecb91e3110127f
Link:
https://www.unpac.me/results/30db665a-80c4-4a81-86f3-ad7949d54cb2/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/30db665a-80c4-4a81-86f3-ad7949d54cb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54deeaeed632cdef34ba67c7b879e8c88ad5d19675cd69e613f663e9bcb3c51f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71425/

Comments