MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8
SHA3-384 hash: 1abdeeefe7a89977d27ccf80fe09c3bb77b758a2d812b81ad1f7160a734a1181e9905e7ac6d283e00a0d6ff47031377e
SHA1 hash: 988354b0667c23f749f9ade68b624d0525e95d10
MD5 hash: 20d9ace6b4fff715f204ea2cf008e0ee
humanhash: eight-juliet-item-earth
File name:20d9ace6b4fff715f204ea2cf008e0ee.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:25'546'752 bytes
First seen:2023-05-10 11:55:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 393216:+7sxAlnJLFg3GT6+K7btWp3EqO97hu/m3pDnL8nbVB3Q7MP2sjwCfgM2p:+7xlVFFW+K7cG3GK03A7i2sjvgM2p
Threatray 1'583 similar samples on MalwareBazaar
TLSH T1E647334436E489BBE1BEA239891A501D17B2F8136740D7CF86E462E51D333F29E37A17
TrID 64.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
24.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
3.4% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.FON) Windows Font (5545/9/1)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 623292ca92b3a262 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
3.142.129.56:18184

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
20d9ace6b4fff715f204ea2cf008e0ee.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 11:58:03 UTC
Tags:
nanocore rat
Link:
https://app.any.run/tasks/c48380d3-939c-4935-98f4-03a4d745fbd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28946.BadP.UNOFFICIAL
Create hunting rule

Win.Trojan.NanoCore-9852758-0
Create hunting rule

Win.Packed.Generic-9777790-0
Create hunting rule

Win.Trojan.Generic-9783914-0
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Dropper.Nancrat-9869495-0
Create hunting rule

Win.Dropper.Nanocore-9916514-0
Create hunting rule

Win.Trojan.Nanocore-5
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83365/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm fingerprint greyware hacktool nanocore packed python rat shell32.dll xpack
Link:
https://www.filescan.io/uploads/645b8654d054a0b0ef8485a9/reports/3a19ca54-017e-420c-8225-bb803e538685/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8
Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore, Luna Logger, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229981
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
DLL reload attack detected
DLL side loading technique detected
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected Luna Logger
Yara detected Nanocore RAT
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 862963 Sample: A4AxThCBqS.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 81 8.tcp.ngrok.io 2->81 95 Snort IDS alert for network traffic 2->95 97 Multi AV Scanner detection for domain / URL 2->97 99 Found malware configuration 2->99 101 20 other signatures 2->101 10 A4AxThCBqS.exe 4 2->10         started        14 LOGZ.EXE 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 file5 65 C:\Users\user\AppData\Local\Temp\LOGZ.EXE, PE32+ 10->65 dropped 67 C:\Users\user\AppData\...\LOGZ UMBRAL.EXE, PE32 10->67 dropped 69 C:\Users\user\AppData\...\KRNL (WORKING).EXE, PE32 10->69 dropped 117 Writes many files with high entropy 10->117 18 LOGZ.EXE 195 10->18         started        22 KRNL (WORKING).EXE 1 10 10->22         started        25 LOGZ UMBRAL.EXE 14 3 10->25         started        71 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 14->71 dropped 73 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 14->73 dropped 75 C:\Users\user\AppData\Local\...\win32pdh.pyd, PE32+ 14->75 dropped 77 139 other files (135 malicious) 14->77 dropped 27 LOGZ.EXE 14->27         started        signatures6 process7 dnsIp8 53 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 18->53 dropped 55 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 18->55 dropped 57 C:\Users\user\AppData\Local\...\win32pdh.pyd, PE32+ 18->57 dropped 63 139 other files (135 malicious) 18->63 dropped 103 Antivirus detection for dropped file 18->103 105 Multi AV Scanner detection for dropped file 18->105 107 DLL reload attack detected 18->107 111 3 other signatures 18->111 29 LOGZ.EXE 14 18->29         started        83 3.142.129.56, 18184, 49708, 49710 AMAZON-02US United States 22->83 85 3.142.167.4, 18184, 49703, 49712 AMAZON-02US United States 22->85 91 2 other IPs or domains 22->91 59 C:\Program Files (x86)\...\dhcpmon.exe, PE32 22->59 dropped 61 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 22->61 dropped 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->109 87 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 25->87 89 192.168.2.1 unknown unknown 25->89 34 WMIC.exe 1 25->34         started        36 cmd.exe 27->36         started        file9 signatures10 process11 dnsIp12 93 ptb.discord.com 162.159.136.232, 443, 49707 CLOUDFLARENETUS United States 29->93 79 C:\Users\user\AppData\Roaming\...\LOGZ.EXE, PE32+ 29->79 dropped 119 Tries to harvest and steal browser information (history, passwords, etc) 29->119 121 Tries to harvest and steal WLAN passwords 29->121 38 cmd.exe 29->38         started        41 cmd.exe 29->41         started        123 DLL side loading technique detected 34->123 43 conhost.exe 34->43         started        45 conhost.exe 36->45         started        file13 signatures14 process15 signatures16 113 Uses netsh to modify the Windows network and firewall settings 38->113 115 Tries to harvest and steal WLAN passwords 38->115 47 conhost.exe 38->47         started        49 conhost.exe 41->49         started        51 netsh.exe 41->51         started        process17
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 23:30:54 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
34 of 37 (91.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxjbs5puzk4g5v5pgiwdr2mclfy6cpgaxatoe6hvnuxecgwu634a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa
NanoCore
239ec3bfd566b2e7c09a16c28997aac2ddaad1c717baa23b2f22e5e212ac9c00
NanoCore
3e80a90fb4fe1eeca3ac51cf9638c21c3b06af889b5f51c859e6d7f7b21e4bb7
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
NanoCore
c0ee259c92c30dcd710e13a44ec8899aa527998ab2431d1e4cb1de94db939718
NanoCore
c4a3b2aef09e330f1a02b22cf69e798381ff3a53316de8b519fd62fb8edd3262
NanoCore
d6f646bb653c584a63aed4bc95c2a284d59944986a451ecdd55e029d4d394a5c
NanoCore
+ 1'573 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/230510-n31jtshf3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
NanoCore
Malware Config
C2 Extraction:
8.tcp.ngrok.io:18184
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6dd21975f4ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Discord_APIs
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Trojan_Nanocore_d8c4e3c5
Create hunting rule
Author:Elastic Security
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments