MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6744cb50ec61375fecb780f86bef73a254d0fb45c5b23d0eb9ae375fa19ac4d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6744cb50ec61375fecb780f86bef73a254d0fb45c5b23d0eb9ae375fa19ac4d5
SHA3-384 hash: c0e9fc9f8235393a643da9b9f2ab2be25100cea27199da3dac44f0bc59b9708cadc02078dfbc4bdbd5577a5b11542e83
SHA1 hash: 8858fda60d465e56c4e9733ac66cd372260d0296
MD5 hash: d6a31c3c57b3ba1e77615f52744014e3
humanhash: high-lamp-low-golf
File name:window management.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'327'552 bytes
First seen:2020-05-21 11:05:32 UTC
Last seen:2020-05-21 13:38:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Y63eJnedCkVdO0hp6TjQZXHU2xQEN5kk3UgI+E2bteKqT0RfhGZDswYxj5JFE8G1:YwOdTjuXVWWE2RefT6hkaj5JFnzILn
Threatray 1'104 similar samples on MalwareBazaar
TLSH 30B519363587A42CC4184636503DADCAF67A7B473A828F6E728FA34C4F1365F272615E
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore payload URL:
https://melodramate.com/shkd/window%20management.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Nanocore.1688.4650.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 11:36:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
NanoCore
1f39a6b78d949b49801703687e3ee181ddfba0e21b13e094f584808d5030ebe2
NanoCore
49ad0ed3bf58f6bec614955067d2a6ae9a19825412ed6f6e851973d5d809293f
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
b982293fd90384c609fb3879b14af3ab6a780c0cb9f3cb6baf1fe81a3f400e29
NanoCore
c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
e41e433626e9dbf6c3a56c29c9dc60adfa53f71cd1c3bc10d682a1b2239c576d
NanoCore
+ 1'094 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore agilenet evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-ekjsa6mg2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
1.tcp.ngrok.io:29703
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Word file doc bfb6fe9959feebc3ec646621a3813dd55b579a096d4225f5b7deab1c14af2829

NanoCore

Executable exe 6744cb50ec61375fecb780f86bef73a254d0fb45c5b23d0eb9ae375fa19ac4d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366145/
  
Dropped by
MD5 00bc907fc33a0795fc089c229589f722
  
Dropped by
SHA256 bfb6fe9959feebc3ec646621a3813dd55b579a096d4225f5b7deab1c14af2829
  
Delivery method
Distributed via web download

Comments