MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186
SHA3-384 hash:	4a196010d1d3ef86209e6d349dcbed88fc5e85455966ca480cbf07d65a5bf323d1fc81830917359e574598712d214019
SHA1 hash:	8a0fdc5b8ec5290fa4bc5a8166496287f680f47b
MD5 hash:	959ea6d8349349778924e73a6aad6fab
humanhash:	july-blossom-helium-mango
File name:	720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	541'696 bytes
First seen:	2020-11-11 11:15:48 UTC
Last seen:	2020-11-17 12:31:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:e2Ra9sGAeSRjnCsG7FBPbzlaOzMZUF2t8LFhOs:9aSXRjnTG7FBDxaS0Uc8T
TLSH	76B4E07B3511B98EF6578C77C4A42F741D50AC378B02E61E785B32A8607D29ACE049FE
Reporter	seifreed
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2020-11-11 11:17:31 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oidrgn3bnc2icpbtdedawkymfnnw7zxjm2g3morwg57ytjcgcgda._file

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201111-297wbbv9qn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

:4040
23.105.131.177:4040

Unpacked files

SH256 hash:

720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186

MD5 hash:

959ea6d8349349778924e73a6aad6fab

SHA1 hash:

8a0fdc5b8ec5290fa4bc5a8166496287f680f47b

Link:

https://www.unpac.me/results/a272b003-57dc-4b66-aa25-42f470c25c75/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/a272b003-57dc-4b66-aa25-42f470c25c75/

SH256 hash:

d75a6428cae3c68c41b1a32d8d82f894bf619fcdfab6d5e2466713c5e43c8f91

MD5 hash:

6d101852285ded853d5bda556a9b67b1

SHA1 hash:

155e50876d17298bb62e076b0d4fc5d4b820a964

Link:

https://www.unpac.me/results/a272b003-57dc-4b66-aa25-42f470c25c75/

SH256 hash:

6228f53b078d779c4c8a0606ebde135d299579698d0681bbdb0c6633529952a8

MD5 hash:

9ddd1986e0eeca0bcedc429be0ae9e03

SHA1 hash:

5cf5bc78f5f922cb13bc68b106e7fdc868772842

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/a272b003-57dc-4b66-aa25-42f470c25c75/

Parent samples :

720713376168b4813c3319060b2b0c2b5b6fe6e9668db63a36377f89a4461186
98746564324170cea0a4d4b8a257a26def9f44965f8486c704108afcef6cac6f
6d67caae68c8a41f5df98a36a12b799cd420d19f6462f52b73c37dbd7478cb88

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample