MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884
SHA3-384 hash: b5872b24fb0f55f6bf531841dd91d1fcc432ca9806f82974303d89de155d1fc4eaaa1b817b355ab5d304505c88137f19
SHA1 hash: eba346dc9ed9b65faabdd355aebf6db327daaf5c
MD5 hash: e98a455a1fc7260c31150aefcb2880d4
humanhash: ack-bravo-nitrogen-lima
File name:e98a455a1fc7260c31150aefcb2880d4.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:7'993'344 bytes
First seen:2020-12-01 08:57:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee29d956202a00089af753de40f7f116 (2 x BitRAT, 1 x NanoCore)
ssdeep 196608:CmTljeDxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73c:7FuxwZ6v1CPwDv3uFteg2EeJUO9WLjDu
Threatray 40 similar samples on MalwareBazaar
TLSH B386DF4174918D6FD5562238CAAFA737213CF6A00B33CBC36B546A3D4E62EC12E76B15
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT payload URL:
http://balgruh.com/images/inside/winsconfig.exe

NanoCore RAT C2:
67.211.209.25:54948

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106188/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Sending a custom TCP request
Setting a global event handler
Replacing files
Deleting a recently created file
Connection attempt
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/551973
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 08:47:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nysalcd5bpvfxrgz5qcogyvhzhzo2cxf5zegxiguonrwdf4hjcca._file
Verdict:
malicious
Similar samples:
0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
NanoCore
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
NanoCore
4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
NanoCore
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
NanoCore
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
NanoCore
7eed0a7abb529f2d7208babe7ab96ea673878fad3fcd7779340b4d6dc3d8468e
NanoCore
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
NanoCore
83db3e008537b9da1f048cf2a36931238afcdabf35ecbeedecd808ea6bee3bf3
NanoCore
c074b02a7c31f653ce16773fe3d97884a5d4cefed346918b79db7f060661f9f0
NanoCore
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
NanoCore
+ 30 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201201-fe6vyjhaps/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
C2 Extraction:
67.211.209.25:54948
enomfon.duckdns.org:54948
Unpacked files
SH256 hash:
6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884
MD5 hash:
e98a455a1fc7260c31150aefcb2880d4
SHA1 hash:
eba346dc9ed9b65faabdd355aebf6db327daaf5c
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/a1e3af47-58fd-476c-ba50-4ee42126f736/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/878737/
Cape
Cape
https://www.capesandbox.com/analysis/106188/

Comments