MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5
SHA3-384 hash: 0f22c518084d95c862426767c3b3f68f90aa0ee78fb6cf8c4bd774dbdf82d5fc7de2d7640285c4e316fcfd89fd7ea1d2
SHA1 hash: 36f7cf435370b3ddc06bef6075e7e3ccad364f33
MD5 hash: ded18bc0b17afaaacbba1fc3ce72288e
humanhash: burger-table-alanine-juliet
File name:JfRbEbUkpV39K4L.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:593'920 bytes
First seen:2020-12-24 13:37:48 UTC
Last seen:2020-12-24 15:37:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:ru0jrXcRuTRrLHkIP/QelF9NlYNaWdBDQKLb:KhcRrgSFhqaWncKH
Threatray 1'420 similar samples on MalwareBazaar
TLSH EBC402155660D373C93883F99462B26A3372A66EA985F27F5CC8B2DB1D733009337A47
Reporter Anonymous
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'000
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JfRbEbUkpV39K4L.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 13:39:23 UTC
Tags:
rat nanocore trojan
Link:
https://app.any.run/tasks/23d6fc9c-db0e-493b-8c2d-a57125b84a9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109344/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.hc.21611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
0
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569734
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333926 Sample: JfRbEbUkpV39K4L.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 13 other signatures 2->61 8 JfRbEbUkpV39K4L.exe 6 2->8         started        12 RegSvcs.exe 4 2->12         started        14 dhcpmon.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        process3 file4 45 C:\Users\user\AppData\...\maZHRDzPDqIzJ.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmp7ACF.tmp, XML 8->47 dropped 49 C:\Users\user\...\JfRbEbUkpV39K4L.exe.log, ASCII 8->49 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->67 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 73 Injects a PE file into a foreign processes 8->73 18 RegSvcs.exe 1 14 8->18         started        23 schtasks.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 51 79.134.225.43, 49756, 49757, 49767 FINK-TELECOM-SERVICESCH Switzerland 18->51 53 strongodss.ddns.net 18->53 41 C:\Users\user\AppData\Roaming\...\run.dat, data 18->41 dropped 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 63 Protects its processes via BreakOnTermination flag 18->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 12:02:14 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpltgzbymim3ytwxudlordiwiq4jusj3dn3c7edbae6lftw2ipkq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0158b790a1604fc90e7c01c81f7851fb1a86f9e9d01de234b5134b763039707a
NanoCore
27a167d0a3b61e4b0bd436f5ceb5954ac128d5d424e5d60298a96b5c83a5ed45
NanoCore
52a0b32117ded008aba2f96eae8dcd1e49600fa1666ad517d03b81d71f62f8ac
NanoCore
6116ef2b4b628a4f3ded1e531f7a08a62310d2d0644979d301c03836fe33ab1f
NanoCore
a7b77e070e8d82651adb6ac56719e46cc7cbe7a1477e748beffa129bc2a353bc
NanoCore
afc63626f787faecd8eafb1cb22be04cd8ea1afe3bfb1f52e8bccb6d7ef04cb1
NanoCore
b353a8a7967d9d72d358e29044f725e3f359c5fc8aebd0dba84d13701ccfdfac
NanoCore
b59de3e185784023c3bfa211f874ab50b74083e6d0a83174a8c42d74099429a4
NanoCore
c844f3484e31450c39372bcc19ebc94bcff258fd03e8a59edf7b3acc3c91682a
NanoCore
feff3fc0ec32f43f4b02cc5120abf4c12e2a3d6456e73607ca0fc3503649fb25
NanoCore
+ 1'410 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201224-9wzykeh8e2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
strongodss.ddns.net:58103
79.134.225.43:58103
Unpacked files
SH256 hash:
63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5
MD5 hash:
ded18bc0b17afaaacbba1fc3ce72288e
SHA1 hash:
36f7cf435370b3ddc06bef6075e7e3ccad364f33
Link:
https://www.unpac.me/results/da7ea1f4-9ab7-4a4b-8131-695c806b7c93/
SH256 hash:
1852c92818267c50e0cb5df55e58943acccb90457065c978bbf0b36fc8989d02
MD5 hash:
8c0511bdc17d3b217f1bab3885e57e00
SHA1 hash:
51e5bd9b2abca6b33b1c4d38e54bed84c02e1fb8
Link:
https://www.unpac.me/results/da7ea1f4-9ab7-4a4b-8131-695c806b7c93/
SH256 hash:
7ca9eba1bacb0dcfea51c59b2333703ef5deda7be4bc6e6cc0c078910cf9ad1a
MD5 hash:
399fadb18d16988da1a128fdc5b933a4
SHA1 hash:
58ec9164a716e107c88e74bb8c6e62e4179af4b4
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/da7ea1f4-9ab7-4a4b-8131-695c806b7c93/
Parent samples :
63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5
b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
619c9abd4165537a7e53c57f2c0a2ab9597c35f53a4bb0b9cdff82814ddd73cd
8da32ea516feb3bc471ba01ed18cb0aca1a9f39966c86ca4624dd2cea2e226cd
205f2ef71a4a099b8cac6b0df7be7d04f5ca0c65e31fb1c00158f656cf2785c3
88ff1e98dcbd97e019e62abc039b84689c902b602f6b2f6ca2b1094b2643280d
de8da0607d432138fac74f2a90369cb59bbac0116358c3d95046fe21172a717a
4ab0583ffd51ef40c7531a93f294c16dfbcfaa1daf13835b8bd231c269a780c8
089330d388e4dc633ebed7df430ba707610c6e65926e16205075d11e930bd5ba
66aa40f73af1eca858d7abc1c9970c8db766838ffa6765a7e6962b59268aa716
SH256 hash:
4e52376fb770ad641050ebd08a25c61815792694ef169477b19979483c31cebe
MD5 hash:
c9f5cf3c184221b7e2ffc4586ed0d539
SHA1 hash:
b44b29bff4cc2a5cd13991a8ca1e0bfd57504552
Link:
https://www.unpac.me/results/da7ea1f4-9ab7-4a4b-8131-695c806b7c93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/63d73364386219bc4ed7a0d6e88d1644389a493b1b762f9061013cb2ceda43d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109344/

Comments