MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801
SHA3-384 hash: 40243acf143b98a33ff505b6655aaaa2957a73c894ef3d5850e0936355f313b69a399774ea157cb92a5d80fea48bdd11
SHA1 hash: c543d59038853a28900344d4f698d3625322e7ff
MD5 hash: 7d530f25a8eed99ce827892201f34a73
humanhash: lemon-salami-mirror-purple
File name:ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:890'368 bytes
First seen:2021-03-06 06:10:19 UTC
Last seen:2021-03-06 07:58:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BT8teodM4fNDVbUs2yxsBDkhpxA0mblb1/Md0ZjbXTLFbgTEf:BnBDcS5b1/vZHXPAG
Threatray 9 similar samples on MalwareBazaar
TLSH A915C7F8F0DDD0FDC462A6B03A607C3883F66D50D925A40A588CFDD36ABBDA16B53512
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: slot0.guniabaers.com
Sending IP: 194.31.96.135
From: info@erbessd-instruments.com
Subject: RE:21FAR019 - ZODAX PO#46980 - Shanghai port
Attachment: ZODAX BOOKING ADVISE-SHA-TOP HARVEST.r00 (contains "ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe")

NanoCore RAT C2:
dowas.hopto.org

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe
Verdict:
Malicious activity
Analysis date:
2021-03-06 06:12:52 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/9535abd2-374b-4fc8-96cb-625623f3987d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122581/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45841065.19896.5521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630418
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 364182 Sample: ZODAX BOOKING ADVISE-SHA-TO... Startdate: 06/03/2021 Architecture: WINDOWS Score: 100 45 dowas.hopto.org 2->45 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 13 other signatures 2->55 9 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 6 2->9         started        13 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 4 2->13         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\HyZPIlNg.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\Local\...\tmp9DC3.tmp, XML 9->41 dropped 43 ZODAX BOOKING ADVI...TOP HARVEST.exe.log, ASCII 9->43 dropped 57 Injects a PE file into a foreign processes 9->57 15 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 10 9->15         started        19 schtasks.exe 1 9->19         started        21 schtasks.exe 1 13->21         started        23 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 2 13->23         started        25 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 13->25         started        27 ZODAX BOOKING ADVISE-SHA-TOP HARVEST.exe 13->27         started        signatures6 process7 dnsIp8 47 dowas.hopto.org 185.244.30.11, 3259, 49734, 49749 DAVID_CRAIGGG Netherlands 15->47 37 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->37 dropped 29 schtasks.exe 1 15->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        file9 process10 process11 35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-06 02:30:15 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=meb7fpw4nrkl3idad44byn4v4zjgafhcaefgmjoeqfwz2sgqtaaq._file
Verdict:
unknown
Similar samples:
3515459b4e069b4d498b7f14cd94361592688cfdc7bd98b4fbf98527636a554d
NanoCore
43e2d2c29a61f54e852de863249be0d070e4f71d8c77cbfd42d44beaf7ec8444
NanoCore
58da120970be7bbf194aa12c38b56f7542174f1672b103d695cc262c6d90f18a
NanoCore
647bdf2171bb254e9d42588d2f58c26d7057daf80da8cd1ec70bb89d71b4d47a
NanoCore
8ce33ed9a7227d43520970b4e7e7afe683f4fcc8dbd210f3373e899a39e1fd2d
NanoCore
9b0bc9cfbb7f7206d7c6578b2c6b618654c455e4e9d0c2926441c89627cb7b8a
NanoCore
b1b6dd7f3a2eb222c3287e31b61a85b23ad0b037b8510d172b03b99565da80b8
NanoCore
e203e603d8d098ec15031453ad9aca0838b18ff053cec7511f29fb414185f8a1
NanoCore
f81f70a17b0907dd726dc4f57126602ed97a746e8ec311a942767b33083dcb40
NanoCore
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210306-2tw53kwxxn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
Dowas:3259
dowas.hopto.org:3259
Unpacked files
SH256 hash:
3d7dd7d3c4d4fc84dec5f3d0da0f4fed795f59f074cfa189dbb658e94cbca128
MD5 hash:
72be8344ec33087ca2a62effda25868c
SHA1 hash:
74cc9e07f1d1eba29ef7fa72fa5ac4dffe68cfdb
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/371531d2-f5c6-4199-8877-3b683133c9a7/
Parent samples :
8352c44e579db255fe3ac2e5821ff0cf932822d3851ab555f2fe54531c7e427e
6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801
130a875f36a8c9c6b7f9cf7ef2d863837af130538770c76d92b6016b8a00a6c0
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/371531d2-f5c6-4199-8877-3b683133c9a7/
SH256 hash:
3fb96857b1c5a61747804c0301ed1ab996210a4395b3f55e75999f4a7ca7a8ce
MD5 hash:
d6f92b04505b733f145e7eaeea91fe99
SHA1 hash:
12e10d8eec3e4ec68d5a03e7e8f410b9d08f339d
Link:
https://www.unpac.me/results/371531d2-f5c6-4199-8877-3b683133c9a7/
SH256 hash:
6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801
MD5 hash:
7d530f25a8eed99ce827892201f34a73
SHA1 hash:
c543d59038853a28900344d4f698d3625322e7ff
Link:
https://www.unpac.me/results/371531d2-f5c6-4199-8877-3b683133c9a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r00 1ef725698560e70bec6bb086febbe735446c6aa51603986fd3809bc0a7c3a414

NanoCore

Executable exe 6103f2bedc6c54bda0601f381c3795e6526014e2010a6625c4816d9d48d09801

(this sample)

  
Dropped by
MD5 0cb2c1a91196322db9d103ee8c3440f8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122581/
  
Dropped by
SHA256 1ef725698560e70bec6bb086febbe735446c6aa51603986fd3809bc0a7c3a414

Comments