MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 558c3b5d571697ab604649130fd84d0396f116e2d2c2dbbceb57b55f21069717. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 558c3b5d571697ab604649130fd84d0396f116e2d2c2dbbceb57b55f21069717
SHA3-384 hash: 6166d31cdeb8da45129cbdb03d3f1a92ca818586eaa217a0e3411b3c09e5dfcb35c3802b35b4006a27bb55d439afb53e
SHA1 hash: fd991631a96ecc46234074974977746beee2550b
MD5 hash: 068405c05e90ca62adc8061f175bcbaa
humanhash: seven-uncle-two-washington
File name:Racun TEMPO Document22-3600-001345736.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:879'104 bytes
First seen:2022-04-14 10:31:57 UTC
Last seen:2022-04-20 10:20:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sLzINGNUVh19I7k5auU9jsi1mpsZwmHZotIN5F3J2+l0dXLrRff0ykBz33mAWIlF:vFDPIw5P6fky2+lafYz33HPlOex
Threatray 4'423 similar samples on MalwareBazaar
TLSH T177150115F2A9AFA2C03D83F44C70D44413B6B75A652DC6493CFA74DE0AB1BC26266F4B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.29.9.48:32114

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.29.9.48:32114 https://threatfox.abuse.ch/ioc/519793/

Intelligence

File Origin
# of uploads :
3
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
Racun TEMPO Document22-3600-001345736.exe
Verdict:
Malicious activity
Analysis date:
2022-04-14 10:34:01 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/4ac30ad8-2d59-492a-a82d-3126a6299ce1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263646/
Detection(s):
SecuriteInfo.com.Artemis068405C05E90.32282.6801.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6257f82bffe27d5119cd138b/reports/284c947c-9493-4e53-823a-f9701da6d45d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4791a838-29ad-430c-b109-131bee6e97b9
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976730
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609215 Sample: Racun TEMPO Document22-3600... Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 39 amuokuku.duckdns.org 2->39 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 17 other signatures 2->51 8 Racun TEMPO Document22-3600-001345736.exe 7 2->8         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\lJGQPgJ.exe, PE32 8->29 dropped 31 C:\Users\user\...\lJGQPgJ.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmpD48C.tmp, XML 8->33 dropped 35 Racun TEMPO Docume...0-001345736.exe.log, ASCII 8->35 dropped 53 Adds a directory exclusion to Windows Defender 8->53 12 Racun TEMPO Document22-3600-001345736.exe 8->12         started        17 powershell.exe 25 8->17         started        19 powershell.exe 24 8->19         started        21 schtasks.exe 8->21         started        signatures6 process7 dnsIp8 41 amuokuku.duckdns.org 185.29.9.48, 32114, 49738, 49741 DATACLUB-SE European Union 12->41 43 192.168.2.1 unknown unknown 12->43 37 C:\Users\user\AppData\Roaming\...\run.dat, data 12->37 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/558c3b5d571697ab604649130fd84d0396f116e2d2c2dbbceb57b55f21069717/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 10:32:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwgdwxkxc2l2wycgjejq7wcnaolpcfxc2lbnxphlk62v6iigs4lq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1095c007bb641be5c286e491a4f4ced026984a7767f930ee09c4d2995b5a76f2
NanoCore
32874f0b28626ef297751b30230e2e9908a0d9196d56c66ee97be86a7bddb4b3
NanoCore
a0c4f2836d7b935bd927dc9727a0391762ba85f984656e77df325f9c5e8e6db4
NanoCore
b5be9580e694c462cf0259c7a4220b1efe737fb7f85241668288b3c7293eb0c4
NanoCore
e27792bffcd7542e12f213e02a043e53e49e6b62aebd91dace6d1621ffb0e07c
NanoCore
+ 4'413 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220414-mky3lsbab3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
amuokuku.duckdns.org:32114
alliedtrade54321.ddns.net:32114
Unpacked files
SH256 hash:
4b02c5a7a674b8cdd1ad14f2fef05f1122544e9b952c9a4c62aef09952e68c95
MD5 hash:
aaf7b39f13c478e5e1191265b873a755
SHA1 hash:
f030fee587aeffb908a73ef9d6704a1d9d629a17
Link:
https://www.unpac.me/results/9ff5eb9a-b709-4fe1-ace4-11431d021c04/
SH256 hash:
c14ea4bdd27d729f044bf4e83e0bdb1e1cfcc92c987036fdbc439283c1022211
MD5 hash:
0587f7540c5eefae2bb042a11ff155d5
SHA1 hash:
24ca734b95fe93790c053f748791de56e66ebc1e
Link:
https://www.unpac.me/results/9ff5eb9a-b709-4fe1-ace4-11431d021c04/
SH256 hash:
558c3b5d571697ab604649130fd84d0396f116e2d2c2dbbceb57b55f21069717
MD5 hash:
068405c05e90ca62adc8061f175bcbaa
SHA1 hash:
fd991631a96ecc46234074974977746beee2550b
Link:
https://www.unpac.me/results/9ff5eb9a-b709-4fe1-ace4-11431d021c04/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/558c3b5d5716/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/558c3b5d571697ab604649130fd84d0396f116e2d2c2dbbceb57b55f21069717

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263646/

Comments