MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276
SHA3-384 hash:	4056cf827562a2882cdc09e331f17d5d1ecb09dbfdfd46b7e07aae89cd0c2519d95052f05625b7d82ec9065b7a870e84
SHA1 hash:	2029d00e7fd81b43e44746256231f04a1bcb06d6
MD5 hash:	9dbcf3122503920f948d6621ac345cfc
humanhash:	tango-bacon-cola-golf
File name:	Correos de España Recibo de impresión de paquete retrasado.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'188'864 bytes
First seen:	2020-08-05 09:23:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:S4aTebhGnkLR3g2iWD28FtQH6HV71kzgTctpwKpw4Ctyy:S4aTebJLR3Xa8FlpegTctpRpety
Threatray	1'125 similar samples on MalwareBazaar
TLSH	4345D0643984DF9DC82E0F3078232850EBF1AE160E06F64FADD679EC57BA6494D1A74C
Reporter	abuse_ch
Tags:	ESP exe geo NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

HELO: slot0.huguchem.com
Sending IP: 45.95.169.55
From: "Correos de España" <info@huguchem.com>
Subject: Notificación de envío Correos de España
Attachment: Correos de España Recibo de impresión de paquete retrasado.r11 (contains "Correos de España Recibo de impresión de paquete retrasado.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39344/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/410821

Signature

Allocates memory in foreign processes

Detected Nanocore Rat

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-05 09:25:09 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=njhm55ldejpntcjp6qbtotlqjps6hnbeflu7bdlcims6qp6sej3a._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

73c1dadfe683d9f3dfcd2655018b4a17d0a679caf40195a223f387025086bc86

NanoCore

756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4

NanoCore

83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374

NanoCore

a37f501c2d65d191828fe20bf148436de23201f6fe852d59dfa67aaa5fc206e8

NanoCore

e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed

NanoCore

e4491a0d3030a3c03f75f931bb5f532b6064feb927a9664bda88c675d480b77c

NanoCore

e7fa1cf008969a70a894b2947737b69c26abb63378d9d4305b698b223793029f

NanoCore

ed6ea055c622adab41b5eba73b4d556c4c843b9e77e21933297ca0ce972ce5c4

NanoCore

fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85

NanoCore

+ 1'115 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200805-999cwd4chn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

185.140.53.9:9124

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/