MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
SHA3-384 hash: 3bc7793ba0741a3fa1202d5199aaaec92734d8017d95385fd4a8e527350f83a08d786e520db64e40355cc302e55c3a72
SHA1 hash: f4195c95b7906151cb8514936cbf053ff3838bba
MD5 hash: e729488de55dd211c6044f04b26059e4
humanhash: eight-georgia-oven-video
File name:SecuriteInfo.com.Variant.MSILHeracles.41449.342.31895
Download: download sample
Signature NanoCore
Create hunting rule
File size:830'464 bytes
First seen:2022-08-18 04:29:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7IKjezN7vJ3It11R/5P06nZNFa9+CqEjWodQtKhYSTqsK++YA3FT:7IQezd1INPpta9FjWoM68sZIN
Threatray 4'809 similar samples on MalwareBazaar
TLSH T1E105CF0077E89911EBBA9F3ECA74111058F6F9D76A2BE31F2A9122ED0D767580C5334B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 017896b3a3361821 (10 x Formbook, 9 x AgentTesla, 3 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.MSILHeracles.41449.342.31895
Verdict:
Malicious activity
Analysis date:
2022-08-18 04:30:49 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/27420ae6-ef34-44af-8053-ab6b70b75235

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299458/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.41449.342.31895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62fdc04d8adad7d7739d9f7c/reports/b2a8cc87-3c54-4733-9e5c-f18ef05205f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b453c02-c625-403a-a902-4fcad3207289
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053534
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686051 Sample: SecuriteInfo.com.Variant.MS... Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 14 other signatures 2->85 8 SecuriteInfo.com.Variant.MSILHeracles.41449.342.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        14 SecuriteInfo.com.Variant.MSILHeracles.41449.342.exe 4 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 67 C:\Users\user\AppData\...\zhuzQpepHPuJSx.exe, PE32 8->67 dropped 69 C:\...\zhuzQpepHPuJSx.exe:Zone.Identifier, ASCII 8->69 dropped 71 C:\Users\user\AppData\Local\...\tmp9AD2.tmp, XML 8->71 dropped 73 SecuriteInfo.com.V...s.41449.342.exe.log, ASCII 8->73 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 8->89 91 Adds a directory exclusion to Windows Defender 8->91 93 Injects a PE file into a foreign processes 8->93 18 SecuriteInfo.com.Variant.MSILHeracles.41449.342.exe 1 16 8->18         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        27 SecuriteInfo.com.Variant.MSILHeracles.41449.342.exe 8->27         started        35 4 other processes 12->35 29 powershell.exe 14->29         started        31 schtasks.exe 14->31         started        33 SecuriteInfo.com.Variant.MSILHeracles.41449.342.exe 14->33         started        37 2 other processes 16->37 signatures5 process6 dnsIp7 75 brewsterchristophe.ddns.net 109.206.241.195, 49706, 49707, 49708 AWMLTNL Germany 18->75 77 192.168.2.1 unknown unknown 18->77 61 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->61 dropped 63 C:\Users\user\AppData\Roaming\...\run.dat, data 18->63 dropped 65 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->65 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->87 39 schtasks.exe 1 18->39         started        41 schtasks.exe 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        file8 signatures9 process10 process11 57 conhost.exe 39->57         started        59 conhost.exe 41->59         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 02:13:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ma4vel7p4spyxup5zyb2vkwopql3su7oo2dggklgju5boc7rhywa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1b56efda762848a5dce7f1d3b386fb2fbac570a8b212bae16d9cbbec472d1112
NanoCore
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
NanoCore
3cfd6c1412b8816cb328c99cbc904743681f284e7177bfc32755d4644af61b07
NanoCore
5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820
NanoCore
75d8f694cc59aaf61da837b61782e3c1004ee310918f3fc3ee34ee1b7b0c0a9d
NanoCore
a3fbcb163ca47c352ef996b6b42fec6aa2e88073bfb279d8510c3f1a4c472b04
NanoCore
e1ee64f883461b2467c9ba0efb86934add2505f1e230126a12d835a796d2f869
NanoCore
f7c7284fe582f8d0e87f505786abe85afe42706b481320745b1cf8cdb8420b03
NanoCore
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
NanoCore
fc04777682ea436c22c5b03931dda85831cc467ca0427f92a00bb3a5a25b0fb0
NanoCore
+ 4'799 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220818-e4s2pshcen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
Unpacked files
SH256 hash:
551ef0181260a5ab5728a618c2e86443753aaeb425e6c3b1346dfb0a661c73af
MD5 hash:
3c7205139e6aabd7de040b15021c24ed
SHA1 hash:
e4c66e4ca1bb3b5488d7c4ba7fddc8cac118955f
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
SH256 hash:
1705f8964f5c236633462fd39a5014dab266d579d4c6eefb65ac1ce95e22c552
MD5 hash:
23e4d54d6d369f1cef788806c92f512a
SHA1 hash:
274d8ceb73e8ed7661451c8aba24cecd830cd302
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
Parent samples :
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
SH256 hash:
92a96efac25311e8a7978c1c8205cda01b6e8779c7f951fd918b9549516758de
MD5 hash:
607955f1d2890aae07ac5dea669abf5a
SHA1 hash:
1d1e53194e195f2946826d1aa85b4c0394ba1f9f
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
SH256 hash:
990f341e5eb7e18d5c8be1a143cb2440a5d2f29c148dfab4f6db63e2876db183
MD5 hash:
55924d361aabe0709936cfa61728fc06
SHA1 hash:
09abb3dc1d93437c9a528517c483ffbdaa11bc56
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
SH256 hash:
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
MD5 hash:
e729488de55dd211c6044f04b26059e4
SHA1 hash:
f4195c95b7906151cb8514936cbf053ff3838bba
Link:
https://www.unpac.me/results/7dff9e4e-5d8e-4e87-86d4-389f8150c3d4/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6039522fefe4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299458/

Comments