MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99
SHA3-384 hash: 683f4e65cfbc4431325da4187c78c428b6be6cd45ba3980cec3830db32fefa0b1e23988ca7eb8e622fecd2e06e6d6a02
SHA1 hash: 0948ef3f460417aba5770d288bc34b82f3c65e35
MD5 hash: f8d60e01998ddfaf6494ae4028bdf601
humanhash: delta-carpet-harry-glucose
File name:DHLExpressShipmentConfirmationBJC400618092909.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:528'896 bytes
First seen:2021-03-31 16:29:02 UTC
Last seen:2021-03-31 18:10:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:v7Z+AsmIKgOwN8h80wZ0UYtdsyExhJp8UuMASdw3H:v1xsmiQwZ0UOslBL6
Threatray 36 similar samples on MalwareBazaar
TLSH 17B4DF13B24C5B2DE2BE57B53070063013E5EF13D722EA49BED8EDAC05A264C56677E2
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
46.183.220.61:4488

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.183.220.61:4488 https://threatfox.abuse.ch/ioc/6315/

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99.zip
Verdict:
No threats detected
Analysis date:
2021-03-31 17:13:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12916bcd-fdac-49f1-b983-273bebf92242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129571/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576.15896.22455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660659
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379259 Sample: DHLExpressShipmentConfirmat... Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 11 other signatures 2->77 8 DHLExpressShipmentConfirmationBJC400618092909.exe 7 2->8         started        12 dhcpmon.exe 5 2->12         started        14 DHLExpressShipmentConfirmationBJC400618092909.exe 4 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 61 C:\Users\user\AppData\Roaming\ZUHHTwcC.exe, PE32 8->61 dropped 63 C:\Users\...\ZUHHTwcC.exe:Zone.Identifier, ASCII 8->63 dropped 65 C:\Users\user\AppData\Local\...\tmpF648.tmp, XML 8->65 dropped 67 DHLExpressShipment...00618092909.exe.log, ASCII 8->67 dropped 81 Uses schtasks.exe or at.exe to add and modify task schedules 8->81 18 DHLExpressShipmentConfirmationBJC400618092909.exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        25 schtasks.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 dhcpmon.exe 12->29         started        31 schtasks.exe 1 14->31         started        33 DHLExpressShipmentConfirmationBJC400618092909.exe 14->33         started        35 schtasks.exe 16->35         started        37 dhcpmon.exe 16->37         started        signatures5 process6 dnsIp7 69 46.183.220.61, 4488, 49734, 49737 DATACLUBLV Latvia 18->69 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->57 dropped 59 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->59 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 schtasks.exe 1 18->39         started        41 schtasks.exe 1 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        file8 signatures9 process10 process11 51 conhost.exe 39->51         started        53 conhost.exe 41->53         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 16:29:18 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5fspl7rnuts3aoqajmaev2qfqdpl6gunakbxyxo6q4g2uojdkmq._file
Verdict:
unknown
Similar samples:
01f2bcea9012a7f62815f8a61475d7e215e778387eae67a4c0aeda8a9a05e811
NanoCore
1487f4e41d24b3440b5d87ca47a899f799f831824bd4d6dd8bb506637157a8ec
NanoCore
1c4b4441e3216049a7c0a8807bdaa0304a2162e0ae6d38b2c1bdb76003fe20f8
NanoCore
72a76728e56304e0d34e9f9512e20e8cc330376ac0d099862920cb003d161acc
NanoCore
79f18eeef7d281b11f7e030d770b3c3fa0e7c595c61e4642e99c4eecd72c6c4e
NanoCore
9b501c547c3a6220c4ce9cec44811a2637adbbd3a11a0bf11ed437fde7747410
NanoCore
b320affd7845fa88848b8143b7d3884162c3c7d653547b92e61826c90720dfcd
NanoCore
d44ab027fea1af8575d4e42667e1021bf1cfbf2e7a56b7cd7e26a605d5720b16
NanoCore
e63cc99dd10607d568a428f192577a19a915e284592ce1bd135d18576596977c
NanoCore
e6a66bca480c62839856e6b9510a46cc2b859c3b6a8191bf9af68290a2ef8134
NanoCore
+ 26 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210331-22z3x536ba/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
46.183.220.61:4488
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/ec039b95-ad07-426a-bbea-3a46c3d62b66/
SH256 hash:
674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99
MD5 hash:
f8d60e01998ddfaf6494ae4028bdf601
SHA1 hash:
0948ef3f460417aba5770d288bc34b82f3c65e35
Link:
https://www.unpac.me/results/ec039b95-ad07-426a-bbea-3a46c3d62b66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/674b27aff16d272d81d002580257502c06f5f8d468141be2eef4386d51c91a99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/129571/

Comments