MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a
SHA3-384 hash: be7ab28cfba6eb28becbbecbe9eaab74ff7a0f51e1eca4ab818b41655d29e0f57b1c92343af557597dd09d96ef3fa3c8
SHA1 hash: 694ed69b2b91ce8fe9e895dc28c29d628c482264
MD5 hash: 98b82195aecd8942d2965b81f411eaaa
humanhash: early-video-london-helium
File name:588B25087097E7C8AA47D12876AF1C3FA939A34FDFD22.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'243'648 bytes
First seen:2021-08-05 03:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e5b9923ab1e9eb27fe6580af9265696 (3 x NanoCore)
ssdeep 24576:4dOxLFDApSPKk48br94A7KleMjbrnsuuxelFN1zcY:4iLFssPH48H977KKu3c
Threatray 1'053 similar samples on MalwareBazaar
TLSH T1E845F0E5E7D89463C057267489BB5A623F22FB925B29410F2630F45E2C723D2FD21E0B
dhash icon 3b67173b1b1f2f3b (13 x AgentTesla, 7 x BlackMatter, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
192.169.69.25:60612

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:60612 https://threatfox.abuse.ch/ioc/165743/

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
588B25087097E7C8AA47D12876AF1C3FA939A34FDFD22.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 03:42:17 UTC
Tags:
installer autoit rat nanocore trojan
Link:
https://app.any.run/tasks/0c33bddf-2150-4699-bad4-3979f7e6695b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176492/
Detection(s):
Win.Malware.Ototi-6591407-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Moving a recently created file
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Creating a file
Adding an access-denied ACE
Launching a process
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt to an infection source
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14a85594-6f6d-4715-9506-169f792abc7d
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827912
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460343 Sample: 588B25087097E7C8AA47D12876A... Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 40 bproduction.duckdns.org 2->40 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 10 other signatures 2->60 9 588B25087097E7C8AA47D12876AF1C3FA939A34FDFD22.exe 1 5 2->9         started        12 liqmneh.exe 1 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 dnsIp5 38 C:\Users\user\AppData\Local\...\liqmneh.exe, PE32 9->38 dropped 17 liqmneh.exe 3 9->17         started        46 192.168.2.1 unknown unknown 12->46 file6 process7 file8 32 C:\Users\user\peol\liqmneh.exe (copy), PE32 17->32 dropped 34 C:\Users\user\liqmneh.exe, PE32 17->34 dropped 48 Multi AV Scanner detection for dropped file 17->48 50 Drops PE files to the user root directory 17->50 52 Allocates memory in foreign processes 17->52 21 liqmneh.exe 6 17->21         started        26 cmd.exe 1 17->26         started        signatures9 process10 dnsIp11 42 bproduction.duckdns.org 192.169.69.25, 49725, 49726, 49728 WOWUS United States 21->42 44 bproduction.zapto.org 21->44 36 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 21->36 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 26->64 28 conhost.exe 26->28         started        30 schtasks.exe 1 26->30         started        file12 signatures13 process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2018-05-30 11:57:05 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcfskcdqs7t4rksh2euhnly4h6utti2p37jcwjuij23a76pxg4na._file
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
NanoCore
1029ba046df67ee328ad9d21bfd1e6d31c5cedc4d4ead02b29502e220808c751
NanoCore
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
NanoCore
77d83370f3109b9a0c199c60870edd92184c170abfc2f1817cd625245fcfae10
NanoCore
afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823
NanoCore
b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
NanoCore
b89620cbc9ac44fd7d39e58b04083b674342f3aa55ed9752160fbf6d2e34b785
NanoCore
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
NanoCore
e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8
NanoCore
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
NanoCore
+ 1'043 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210805-2dvx3bm2wn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
bproduction.zapto.org:60612
bproduction.duckdns.org:60612
Unpacked files
SH256 hash:
f3c3c632d249555931cdf3e1f435a68393f5ce97ad2558e8f3c4d8800c2dde9f
MD5 hash:
83b3a29df3e7cc37cc13c4a68cd6afeb
SHA1 hash:
390bf54487d4e37de18a57d295c19daec87975b9
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/9c4cab57-a2ed-49b5-8a0b-27fd3e61baef/
SH256 hash:
55e43a5b177461df37d054feab6487455ec65be196df511712352eff52eb79bc
MD5 hash:
e58870497d5bc57af831fbb5e98d7aaa
SHA1 hash:
603e87eb4d47231c5debbbf23d6de500c65082f7
Link:
https://www.unpac.me/results/9c4cab57-a2ed-49b5-8a0b-27fd3e61baef/
SH256 hash:
588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a
MD5 hash:
98b82195aecd8942d2965b81f411eaaa
SHA1 hash:
694ed69b2b91ce8fe9e895dc28c29d628c482264
Link:
https://www.unpac.me/results/9c4cab57-a2ed-49b5-8a0b-27fd3e61baef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176492/

Comments