MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460
SHA3-384 hash: dc888e09ece1df018d7551675e57fb5fd0a27f84444a1d4b449c58e11b561234501456445cfa1273428ee9919f10ec6b
SHA1 hash: 2c298dfa121cf12fa95ea0af2fbb75f74a809f74
MD5 hash: c98de529cef3f418de14bccdff7503f9
humanhash: north-pip-pizza-mountain
File name:Signed Proposal.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:344'896 bytes
First seen:2023-05-01 11:20:22 UTC
Last seen:2023-05-13 22:57:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6jdFlXUcGuS1fgB8XagGObNYmxnHzCs9687k2oYgUhFaHh/yivF91qnM579DK:/YhNUcGuygCa22sqsD6haOTD1xNs
Threatray 1'635 similar samples on MalwareBazaar
TLSH T10874221433D5C0BFE8F6CFB01E75152ADCD2A413D8B88E5B8372590A7E12994D71E36A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
107.182.128.9:7727

Intelligence

File Origin
# of uploads :
3
# of downloads :
346
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
Signed Proposal.exe
Verdict:
Malicious activity
Analysis date:
2023-05-01 11:20:56 UTC
Tags:
nanocore rat
Link:
https://app.any.run/tasks/4b369cdd-7472-4ae4-8477-038cb67cdda4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385809/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82092/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/644fa0a1961a21dc785c3630/reports/95dacc21-85ec-47be-bd03-1f7a477fa7ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db0943bb-eb5e-4e6a-8f00-beca3d2d9b9f
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1223976
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 11:21:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkwidh3tr524pbak43eruu7mvoymoentp3lm6arptungawssgrqa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
3d36a06552f24dc4a5ac3a4d9594e30dee088c95c1139b6e2d1374130d9065d9
NanoCore
4c39d7bc897c365a5c93f4fa958362f6e98d6cbdf8f7dcd9f84aa16caa972855
NanoCore
51ab5d042dee8df90162a00a3307cf8d38d12bc54b7dc07c756996aa0f6b3804
NanoCore
b8d747db69fac284ccfeab921f8e06b6403763914b776ff518e6d3643ed9056d
NanoCore
c06c0309db9e858944bf7ab5b07ffade02b158f768897036793bb8188180fd8d
NanoCore
eb72630f472d5fb65862fd4272ff040ca8e721b38f56a90c8ac5d538b15e341f
NanoCore
+ 1'625 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230501-nfzzsahb3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Executes dropped EXE
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
arkseven7002.ddns.net:7727
arkseven702.ddns.net:7727
Unpacked files
SH256 hash:
367cc2488c8581dd9c01f31c7e1c6bcfafe5442e6748f89da2968911fb577c6e
MD5 hash:
f52ec901e9bf7ce80da7edfbea52d93b
SHA1 hash:
0d63593501834e23d75490c0668ad806dffaabff
Link:
https://www.unpac.me/results/1da3c219-fca0-4164-a3b2-990259db6fc9/
SH256 hash:
62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460
MD5 hash:
c98de529cef3f418de14bccdff7503f9
SHA1 hash:
2c298dfa121cf12fa95ea0af2fbb75f74a809f74
Link:
https://www.unpac.me/results/1da3c219-fca0-4164-a3b2-990259db6fc9/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62ac819f738f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Nanocore_d8c4e3c5
Create hunting rule
Author:Elastic Security
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 27ec98afe8ece1ca5895c72cb758e934919518e794cb14335dfe40005c69ce52

NanoCore

Executable exe 62ac819f738f75c7840ae6c91a53ecabb0c711b37ed6cf022f9d1a605a523460

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/385809/
  
Dropped by
SHA256 27ec98afe8ece1ca5895c72cb758e934919518e794cb14335dfe40005c69ce52
  
Dropped by
MD5 6391047eda9aaa6a0e83c153a6b5d711

Comments