MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a
SHA3-384 hash: edabd41e30e62d68746f9ffd50a4798d746a74e27982d665d4f5bcd98875797b8ca7e223f7283577d49a17e50528a1cd
SHA1 hash: 16dc67e2112324640a4209bd6085f2eb0a05f60d
MD5 hash: 0678ca732d8bec3e61349cd801f04a34
humanhash: eleven-florida-charlie-bacon
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:394'597 bytes
First seen:2022-03-07 19:01:10 UTC
Last seen:2022-03-07 20:37:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGihkwxTmrSnCa/tRCZoPxYi2GZmzWtGJm9oAyanrKOu7y3Il2ug2lOyvTaGcKed:+aSSb/rfrb2pIxuwrUO8cZUisA
Threatray 4'556 similar samples on MalwareBazaar
TLSH T1AE84235B66D38C94E2F800351B729F7CD3F7A0F843649D1F0B999F6D3A1194B198EA11
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.140.53.25:7688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.25:7688 https://threatfox.abuse.ch/ioc/392858/

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247990/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.1.2250.12030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dff357e8-36b9-4871-ad62-d79cde5373e4
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952067
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 584548 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 07/03/2022 Architecture: WINDOWS Score: 100 61 chinomso.duckdns.org 2->61 63 store-images.s-microsoft.com 2->63 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 13 other signatures 2->75 10 DHL AWB TRACKING DETAILS.exe 18 2->10         started        13 tntahvyxjs.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\tntahvyxjs.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\Temp\fjifmosjk, data 10->57 dropped 19 tntahvyxjs.exe 10->19         started        22 WerFault.exe 23 9 13->22         started        26 WerFault.exe 9 13->26         started        28 WerFault.exe 19 9 15->28         started        30 WerFault.exe 10 17->30         started        process6 dnsIp7 77 Multi AV Scanner detection for dropped file 19->77 79 Machine Learning detection for dropped file 19->79 81 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 19->81 83 2 other signatures 19->83 32 tntahvyxjs.exe 1 16 19->32         started        65 192.168.2.1 unknown unknown 22->65 51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->53 dropped file8 signatures9 process10 dnsIp11 59 chinomso.duckdns.org 185.140.53.25, 49759, 49760, 49763 DAVID_CRAIGGG Sweden 32->59 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 32->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, data 32->47 dropped 49 C:\Users\user\AppData\Local\...\tmpB58C.tmp, XML 32->49 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->67 37 schtasks.exe 1 32->37         started        39 schtasks.exe 1 32->39         started        file12 signatures13 process14 process15 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 19:02:10 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgqerwphpwvgk227sdcfzoqiyq3rwbh5c4selbrytexjyl4dgwna._file
Verdict:
malicious
Similar samples:
13d4188437fd7caf662393052ef82808bf70cdb5e31fcc2f162ad2dffad377aa
NanoCore
558470db798ec71e380a908adaf33e8d39850165e623bdb129196b79919f4248
NanoCore
6a2790a5909d2769409da00b867f514698f39d3bd034851e72863b6b5ee05cda
NanoCore
701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e
NanoCore
754a492ef497df0dfb09de45b56ca338bda9d031275e388b356366fa29783039
NanoCore
ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
NanoCore
f3457b15e193b2fa2ce2fff91da46d671208034e010091cf1f88cc0231f35f71
NanoCore
+ 4'546 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220307-xps29sffh5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
chinomso.duckdns.org:7688
Unpacked files
SH256 hash:
59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a
MD5 hash:
0678ca732d8bec3e61349cd801f04a34
SHA1 hash:
16dc67e2112324640a4209bd6085f2eb0a05f60d
Link:
https://www.unpac.me/results/56af310a-4a26-45b5-93b2-451f148b016f/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/59a048d9e77d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247990/

Comments