MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1
SHA3-384 hash: ae9e5aafaa8fa6ea002fe05364929e12e5a929f3ede68bfbb41b651c72b3ae76c555bb962c6a2d10507d5191653d4804
SHA1 hash: 4937ee1f052acc2fc574baa54bfff07bdc00aac7
MD5 hash: 1fd5b72876baa9af3f69708fe34a06da
humanhash: twelve-florida-king-august
File name:1fd5b72876baa9af3f69708fe34a06da.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:691'200 bytes
First seen:2022-08-24 07:35:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:n2nNKu3XDG2vMB6sm15Vcz+KgUIf+0E/0UIDr2gKGcpuhgIFq+q:cNlG2vO655VRUZ0E/0UO2gKpu5qP
Threatray 5'129 similar samples on MalwareBazaar
TLSH T120E412A537AD4F2AD93A8BF941B441A043B8B21B7147E71F9DD630DA2E22F5B1304E47
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
1fd5b72876baa9af3f69708fe34a06da.exe
Verdict:
Malicious activity
Analysis date:
2022-08-24 07:40:39 UTC
Tags:
trojan nanocore rat stealer
Link:
https://app.any.run/tasks/404119f0-abec-4cf5-9c23-77c753c7a18f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300787/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed remcos
Link:
https://www.filescan.io/uploads/6305d520ce5d306100109b51/reports/6a6eeacb-d12c-4404-a537-635b10d2c3bc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4b31c03-9def-4ebf-9fdb-be82dc8ec926
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1056832
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 689349 Sample: T7hfS3rNEv.exe Startdate: 24/08/2022 Architecture: WINDOWS Score: 100 52 kasawulli845.ddns.net 2->52 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 13 other signatures 2->64 9 T7hfS3rNEv.exe 3 2->9         started        13 dhcpmon.exe 2 2->13         started        15 T7hfS3rNEv.exe 2 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\T7hfS3rNEv.exe.log, ASCII 9->50 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 9->68 70 Injects a PE file into a foreign processes 9->70 19 T7hfS3rNEv.exe 1 16 9->19         started        24 dhcpmon.exe 13->24         started        26 dhcpmon.exe 13->26         started        28 T7hfS3rNEv.exe 15->28         started        30 T7hfS3rNEv.exe 15->30         started        32 dhcpmon.exe 17->32         started        signatures6 process7 dnsIp8 54 kasawulli845.ddns.net 109.206.241.128, 49710, 49711, 49712 AWMLTNL Germany 19->54 56 127.0.0.1 unknown unknown 19->56 42 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\Roaming\...\run.dat, data 19->44 dropped 46 C:\Users\user\AppData\Local\Temp\tmp15.tmp, XML 19->46 dropped 48 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->48 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->66 34 schtasks.exe 1 19->34         started        36 schtasks.exe 1 19->36         started        file9 signatures10 process11 process12 38 conhost.exe 34->38         started        40 conhost.exe 36->40         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-23 12:58:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
54
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oalwrx6sjjo7pvnnisgjxtmth67pq76kcheryrl47jcnsxrpw3iq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
NanoCore
36ccab7aced638753e2ccf38501d8a5a8995a30e3b2ac323b6198a44b881159e
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338
NanoCore
9530780503c903e1d83738e19e754c3756e067612adddcea2f64c25749b6a838
NanoCore
b7b70dcbc64afcbcc9ca6ed5e6a61bac14e32f6f5c24ef005592006098abc76d
NanoCore
+ 5'119 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220824-je9elsbch2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
kasawulli845.ddns.net:5211
127.0.0.1:5211
Unpacked files
SH256 hash:
e6b8e87ddac20e8c8d2478e12a9d37406ebe3f75a67232c7d775c26a1dcd3322
MD5 hash:
609eaa354866a5b1945ce70c8a8cb3ad
SHA1 hash:
cda99fee423c6b5b1cc2bffe8d702898d27c92c9
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
Parent samples :
25dc2daecc1f213eb7e68141aca9e9917e2ba93fc30bafd050f84d7e1f0bd3d2
c27008bd825faf145c4d214450c1044c3927d01a2d7da850da862c51018d0ccd
0ce9fcd692bc34e751910d4698453b577677fa2883f978af28e6753a963e30da
701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1
f744326dd8c1d2d254759fed22d0f8d1ce7df89ec0c699a896450773f110355a
a34669a4f919bfb5c570b7d5ad5eea4f5fdb276268afbdb6b540907f1ddefa83
ed627832d80a82faf49c5a61bf7fef509f4860889ece7d18388ecbe2110f7dc6
3a8064e4524a52d53e9b2111c5368c82182dc885043b43373f56f7532b268e29
747e7a2c12b9ecff95e0828ab061ac6d75a722005bbce2555b6c5353eaf9e23f
52cd482b7219eb54f7e9e4672d58d8bd85fbbb3468d2da6fac5b719b3a934f65
1d2147500bdb626e9f78761c9d25a8d597f3d966e5437efb461f03b3ec8be217
b95f5f68948d08e06292fbda648e99b3d7d237e19cb4da03fc729fddd681d195
3ac36b3612907df3fd1724900c917c215ef9bf6c5530c81d3b40a1faf7447b90
SH256 hash:
c49cad68ec29652ea27fa5dea5923e3c58048a880c80dcb2f830eea1684fa379
MD5 hash:
e7d9663a7d8a2b2834bfa0459942a5c0
SHA1 hash:
b1e39c40d05222a194bc02a467e47cbdd3d8003d
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
SH256 hash:
1ab30b761d40ca0448b78bb3bd66524ee4e0e010127680f3133a2a6fdb62ecde
MD5 hash:
158a9614df783311cf104cfe75b6c39b
SHA1 hash:
8953370b4cc37e410cb1b6ff0f69ec3e9b0997af
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
SH256 hash:
d675ca67f8419e38bdb747815bc8c6a39fe232297d15b060207f941c4b9189f0
MD5 hash:
b9c50969dc10f55529c2a08af31358b7
SHA1 hash:
22e08503d17b3b6b7fb3ffbef8ae16f48b902ec6
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
SH256 hash:
701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1
MD5 hash:
1fd5b72876baa9af3f69708fe34a06da
SHA1 hash:
4937ee1f052acc2fc574baa54bfff07bdc00aac7
Link:
https://www.unpac.me/results/9ca301ad-e412-483d-a918-bda9a0a6a08e/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/701768dfd24a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 701768dfd24a5df7d5ad448c9bcd933fbef87fca11c91c457cfa44d95e2fb6d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2259316/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300787/

Comments