MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4
SHA3-384 hash: 3a1f015ab9896ef5d4a18e0466ec7ba69c6d67f1b1cecd3e2355fbca31669bf2a622d685ec05b4bc1c8c168445b42a0b
SHA1 hash: 4d16de6b50332cc05fca066125937c364dda961f
MD5 hash: 6997fbda2b03ac3c34fec92ed6375e40
humanhash: sweet-utah-kansas-paris
File name:PO456789.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:595'456 bytes
First seen:2020-11-24 19:28:12 UTC
Last seen:2020-11-24 22:13:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Gn5PqttqmMwFHo3ggmmz7dBfRdGacGJQb+oT8:YlqSmMwFHQggvzBBfRdGac+
Threatray 1'349 similar samples on MalwareBazaar
TLSH 62C45B1377454AA4C420FFB702E7FE923369EDD73650875A238A85689A932CE6F0D35C
Reporter neoxmorpheus1
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
DNS request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546352
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Protects its processes via BreakOnTermination flag
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322271 Sample: PO456789.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Sigma detected: Scheduled temp file as task from temp location 2->86 88 9 other signatures 2->88 10 PO456789.exe 2 2->10         started        13 fifyt.exe 2->13         started        15 InstallUtil.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->96 19 cmd.exe 1 10->19         started        21 cmd.exe 2 10->21         started        24 InstallUtil.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process5 file6 30 fifyt.exe 1 19->30         started        33 conhost.exe 19->33         started        70 C:\Users\user\AppData\Local\fifyt.exe, PE32 21->70 dropped 35 conhost.exe 21->35         started        process7 signatures8 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->98 37 InstallUtil.exe 1 11 30->37         started        42 cmd.exe 1 30->42         started        44 cmd.exe 1 30->44         started        46 5 other processes 30->46 process9 dnsIp10 78 smithcity123.ddns.net 105.112.96.12, 57689 VNL1-ASNG Nigeria 37->78 80 185.244.30.212, 49765, 49766, 49767 DAVID_CRAIGGG Netherlands 37->80 72 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 37->72 dropped 74 C:\Users\user\AppData\Local\...\tmpC4E7.tmp, XML 37->74 dropped 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 37->76 dropped 90 Protects its processes via BreakOnTermination flag 37->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->92 48 schtasks.exe 37->48         started        50 schtasks.exe 37->50         started        94 Uses cmd line tools excessively to alter registry or file data 42->94 52 conhost.exe 42->52         started        54 reg.exe 1 1 42->54         started        56 conhost.exe 44->56         started        58 reg.exe 1 44->58         started        60 conhost.exe 46->60         started        62 reg.exe 46->62         started        64 8 other processes 46->64 file11 signatures12 process13 process14 66 conhost.exe 48->66         started        68 conhost.exe 50->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 19:28:42 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3lk5ptnbobzvnnfx25npvmnojcfcrvpvdxjoqxzwdrip4ahwpca._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
258856f05819789b47e0bed58b1df479976a355cd30b953b23f9e2f5d286578a
NanoCore
2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d
NanoCore
644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407
NanoCore
6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276
NanoCore
c4e3c7871e231318fb43fbdacc011d98d5f671d045facafcd205dd9bf7250f94
NanoCore
db591a08743176655e567ddffcbbd79b9e2e31feadc1feb54a0200296a93d53d
NanoCore
dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392
NanoCore
e26e07749118e8284c28e50553c62bdbe327234b801ffdf2eedb8663444aa459
NanoCore
ee0d34b4e09bd177ff94fcc70278b8b6eb95516d20ca22eed1682dc0a4bb03ff
NanoCore
f4bf592fde78af7ed0b06166ac8265d7b65a2457b9a61f12c2e3a4fad641ac19
NanoCore
+ 1'339 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201124-3yyc1vqkwa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
smithcity123.ddns.net:57689
185.244.30.212:57689
Unpacked files
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/5067cae9-9108-490c-b575-5b1886f1b64b/
SH256 hash:
df798bcff3c22ce3a2e2bd7f003b7d411d819c9c4e62ccab3bc94b1bbcd9b824
MD5 hash:
e32fa53d77fbf9c2f1a3cbbfda02c701
SHA1 hash:
68fb79bb6eb15dcd6d5dd6a0e3bc2397f1d4eb63
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/5067cae9-9108-490c-b575-5b1886f1b64b/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/5067cae9-9108-490c-b575-5b1886f1b64b/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/5067cae9-9108-490c-b575-5b1886f1b64b/
SH256 hash:
6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4
MD5 hash:
6997fbda2b03ac3c34fec92ed6375e40
SHA1 hash:
4d16de6b50332cc05fca066125937c364dda961f
Link:
https://www.unpac.me/results/5067cae9-9108-490c-b575-5b1886f1b64b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments