MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c2c409d2c16331f9a920463e9ae97bd41c53be5d3ea1d87290da6a0350e4470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 11 File information Comments

SHA256 hash:	6c2c409d2c16331f9a920463e9ae97bd41c53be5d3ea1d87290da6a0350e4470
SHA3-384 hash:	365526555e035984e9a4c4987ddb2b71f3a4eee9974f370fd9948401a7d18bf84df923040d8e613fe24f349989eec432
SHA1 hash:	b2dbb191b4d547d81af795db12dc76bb2dd64da0
MD5 hash:	123ce41e2ffb293597ddfde339a57696
humanhash:	minnesota-alanine-wolfram-crazy
File name:	DHL AWB TRACKING DETAILS.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	394'751 bytes
First seen:	2022-03-07 10:51:13 UTC
Last seen:	2022-03-07 13:02:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGi0VZws44shCY6qsx+O0n94i7EDfMC5GGp6SFDk8wYvcizsWSjv0HdTe+UpYodd:aZw+eC59x+Ow9vE4C5b6StPvDdv+3
Threatray	4'536 similar samples on MalwareBazaar
TLSH	T16084235779C1CC1EE15701B932FBB376E3FBD245106B2A8B072875F23616724430A66B
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
185.244.31.162:7688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.244.31.162:7688	https://threatfox.abuse.ch/ioc/392779/

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/247876/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.32626.11233.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d2680db4-97d5-4ad2-9a42-2624c28d3f1e

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/951741

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/6c2c409d2c16331f9a920463e9ae97bd41c53be5d3ea1d87290da6a0350e4470/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-03-07 10:52:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqwebhjmcyzr7gusarr6tluxxva4ko7f2pvb3bzjbwtkanioirya._file

Verdict:

malicious

NanoCore

75f7a5b155426bf485770e395bac90894eee5f8d1742f774429d726f7a5156bc

NanoCore

8bc02da97643547d5839c46725fdde87308623dbdd1e479d8f7e76c7405ac5f9

NanoCore

dc398f97c7c248ee6e669cb910b617224c1da4eb8338a37fc4ed812784f83a24

NanoCore

dfbd0454d410a8eecba728864c1c9c04144ddef2c009ef719d6ff72ca2dac701

NanoCore

ea4e421a809854f53794fe7beb0e77aa813287565edcfc904deadee8121caf3a

NanoCore

f3457b15e193b2fa2ce2fff91da46d671208034e010091cf1f88cc0231f35f71

NanoCore

+ 4'526 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220307-myek5agdcj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

NanoCore

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

chinomso.duckdns.org:7688

Unpacked files

SH256 hash:

6c2c409d2c16331f9a920463e9ae97bd41c53be5d3ea1d87290da6a0350e4470

MD5 hash:

123ce41e2ffb293597ddfde339a57696

SHA1 hash:

b2dbb191b4d547d81af795db12dc76bb2dd64da0

Link:

https://www.unpac.me/results/e38b9f70-5a10-480e-b4a9-06bbb7da23bf/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6c2c409d2c16/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/6c2c409d2c16331f9a920463e9ae97bd41c53be5d3ea1d87290da6a0350e4470

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	malware_Nanocore_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	MALWARE_Win_NanoCore Create hunting rule
Author:	ditekSHen
Description:	Detects NanoCore

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Feb18_1_RID2DF1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Nanocore_RAT_Gen_2_RID2D96 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/247876/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample