MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614
SHA3-384 hash: 3972aa5634f2c3f456ede36a0c9473f4987c757084be78581b2bff35111e9a060fec4fd1ed00ca0c213cbb941bbcf190
SHA1 hash: 1cd332bc89ca56f08fc52cc8674e9169810f3eac
MD5 hash: 1a3db07ce99e3d321989c9eb53b5000e
humanhash: diet-carpet-sixteen-echo
File name:Order EA566821.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:433'816 bytes
First seen:2021-06-15 01:21:42 UTC
Last seen:2021-06-15 01:46:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:/YhIdTP9FNq0AwWQR2amUyS0YeYnghAHa:whkFAzQgxUDebUa
Threatray 81 similar samples on MalwareBazaar
TLSH 2A941240AB264212FD4789BBE1F3CE895BA4BF2378D5E00630AC36594933397E1E561F
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
95.217.232.91:54984

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.232.91:54984 https://threatfox.abuse.ch/ioc/114839/

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order EA566821.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-15 01:24:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64be4274-5244-4202-a7a1-b2d7c3d0a9d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.25128.29092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2843c34b-03f8-4a0d-b4ee-f39963c05c68
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802074
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 01:22:11 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nufalpxb5u654hjx3xlgfurwqui5ddj7mfc5urj23lqmeufzayka._file
Verdict:
unknown
Similar samples:
1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50
NanoCore
1e9fe4ead1434548d7c9c9b43fed8c63134a17159e0d99980ab7c6233149befe
NanoCore
230105e9e7579165b1cfa4088219f9b16723242873b5167f55e639b0b2376b49
NanoCore
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
NanoCore
657ae7746746041ce532244a0a5d25edd35844d4f35d7e85c7394fee553ec02a
NanoCore
9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714
NanoCore
a608e12ae5bb4560a9ca9d4be49ddf2e04a3cb65ff3367b5bd8e4a8cc9325a48
NanoCore
c0c746d73e4b8e18f1dd69906d6a260bab00f57cb8532855db0f09c668fb3d8b
NanoCore
c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766
NanoCore
cd6d3c992633caf027990050b5b94054d7e9148294f0297901abcb1a44b35a54
NanoCore
+ 71 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210615-p1c2s7mqb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Uses the VBS compiler for execution
NirSoft MailPassView
Nirsoft
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
:0
Unpacked files
SH256 hash:
2f0a114b0c614fb52fcc1759e6f569fa27ca1f8b6a1375b30e218d3fe0606d32
MD5 hash:
6c1cdbe2ae35985998d6cdecd22b0632
SHA1 hash:
9d888695cb079945ada8d1388bace1c0b0b55033
Link:
https://www.unpac.me/results/aaa764f1-8209-49f3-bbf3-d2975081f274/
SH256 hash:
c68bb32705afee45a916cb322436bcc81233616780302b1a81ebb91b20a5be5b
MD5 hash:
96417f723da62dccd484c7bdb40e139b
SHA1 hash:
545f3ddc9bc83380095c16f5332d6dbeadf2a249
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/aaa764f1-8209-49f3-bbf3-d2975081f274/
Parent samples :
6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614
2af6f37a02bc512145fe57de3bb9b8a334267f927bb2c9032485717829861ea7
SH256 hash:
20bfa53939d7ed1ea71117060a88c55494ce76b50c80b68f004166ecc64f431f
MD5 hash:
ae43237f25a93d70c8279b438951b613
SHA1 hash:
2abbe4d06e41a3f8db246e38bbf3d97708bf89b8
Link:
https://www.unpac.me/results/aaa764f1-8209-49f3-bbf3-d2975081f274/
SH256 hash:
6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614
MD5 hash:
1a3db07ce99e3d321989c9eb53b5000e
SHA1 hash:
1cd332bc89ca56f08fc52cc8674e9169810f3eac
Link:
https://www.unpac.me/results/aaa764f1-8209-49f3-bbf3-d2975081f274/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d0a05bee1ed3dde1d37ddd662d2368511d18d3f6145da453adae0c250b90614

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificate
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments