MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
SHA3-384 hash: b24bdc387f952fbfc7f2a9e03c8f1d8dac043253a68ae8403d72bc19807f1c4ee39330638841accdfe689f3c9efe7494
SHA1 hash: 1c678bd261c079ffa7a53e6fc4f66a98cfbec1e3
MD5 hash: 474f69ac1711e0d6e59c7217ce619185
humanhash: moon-august-bulldog-alpha
File name:Our Ref. 786-16-AZ-519CDN - Order.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:607'232 bytes
First seen:2020-10-07 17:24:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:+VytH2pzvEJmbuOH+SC7GKCPPNFy7DkbqxFQ8xLeSC2F70KVriZ:DwpzvEJmiOH+SCKnNFkFQ5SCo7xi
Threatray 1'107 similar samples on MalwareBazaar
TLSH 94D4022E66855F6BC53E08FC8C50910D47F4E9291AB3E20BBEF184FBA7E17DA9301591
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69011/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484494
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294690 Sample: Our Ref. 786-16-AZ-519CDN -... Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 12 other signatures 2->56 7 Our Ref. 786-16-AZ-519CDN - Order.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\...behaviorgraphYGIvZrgXzv.exe, PE32 7->32 dropped 34 C:\Users\...behaviorgraphYGIvZrgXzv.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp6AAD.tmp, XML 7->36 dropped 38 Our Ref. 786-16-AZ...CDN - Order.exe.log, ASCII 7->38 dropped 58 Injects a PE file into a foreign processes 7->58 13 Our Ref. 786-16-AZ-519CDN - Order.exe 1 9 7->13         started        18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        24 conhost.exe 11->24         started        26 dhcpmon.exe 11->26         started        signatures5 process6 dnsIp7 46 79.134.225.82, 49733, 49735, 49736 FINK-TELECOM-SERVICESCH Switzerland 13->46 48 192.168.5.247, 54251 unknown unknown 13->48 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, data 13->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->60 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 17:10:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpp2a3qgb6dg4j3cer55n4lsiiwhgx4nn5cafp2locmthqwu3jmq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6
NanoCore
08c1ed3585826baa8e470be4c446478a895317380573ef787e53afdc264569e3
NanoCore
4bdce1c0f19e06fe3011983fd12202ca87b82016cf29422554ec1687e0ff377f
NanoCore
7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
9279c6ca7db65d126d35f77f8dc93b46c0e6e68a5ba6da1789ae30c1959bb898
NanoCore
93bf34f3e42fb55786de7c65c2aa7f8340194e12708170e7f9a0bf0c42c2a72f
NanoCore
a9352a90a15c864ae05d1d1138aff00094883dc44afffc471e837e46fe3eb24e
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
NanoCore
+ 1'097 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201007-rkgs1h81ts/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
79.134.225.82:54251
192.168.5.247:54251
Unpacked files
SH256 hash:
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
MD5 hash:
474f69ac1711e0d6e59c7217ce619185
SHA1 hash:
1c678bd261c079ffa7a53e6fc4f66a98cfbec1e3
Link:
https://www.unpac.me/results/15e50534-a340-481e-a4c7-096c912ef335/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/15e50534-a340-481e-a4c7-096c912ef335/
SH256 hash:
2ce31869d3f088e65a0de0a5c4c6afa589452d3058a9ca37452d69c442ce5ac3
MD5 hash:
2633bfc89dfb8c3c1e08b657373494e6
SHA1 hash:
2c5b2590500a2ff20957689cef19a04009fbcadd
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/15e50534-a340-481e-a4c7-096c912ef335/
Parent samples :
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e
e301fd976c111fd0f209f4cb6e8bd267bd5eb242707ad286b217a5d98032aad6
SH256 hash:
48bbe737ab5b1194a763587f4e9515bf85c361452e352fc202c93b978fdba372
MD5 hash:
5c64db48241c53d027d92cef74a4aa91
SHA1 hash:
9393b42d20365b4852a04b9d845abb365d82ba28
Link:
https://www.unpac.me/results/15e50534-a340-481e-a4c7-096c912ef335/
SH256 hash:
065a884e4789653a591f83a424f5cd0249b5ac8d8ed268ea916102a0e97f0d58
MD5 hash:
2ba6afd67223210d98c987834598f8f9
SHA1 hash:
e9654fe349327b0a1a6b30bd834b73f9aaf29b15
Link:
https://www.unpac.me/results/15e50534-a340-481e-a4c7-096c912ef335/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69011/

Comments