MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3
SHA3-384 hash: 0cad3ac7e697ea51a667f393c618af00d3c93e0b55547bef76993984be2b0a46da3700266fb133a8af790ae69da152f6
SHA1 hash: 4f78cdfe53205bcabdc1c2e6fe5b097d7c1c851d
MD5 hash: 623413e919ae0a97a295205d7ecc016b
humanhash: ack-bakerloo-mobile-hawaii
File name:623413e919ae0a97a295205d7ecc016b.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:530'432 bytes
First seen:2021-07-07 15:47:56 UTC
Last seen:2021-07-07 16:52:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:c5NAanpFSrv+ZLJshJTPVKhxS9Wew74F6eQWhrCxIcvoL6bHhqK0/6sJEyNZ:dan4vJJRKbepF67Wh8IcvoWma8
Threatray 11 similar samples on MalwareBazaar
TLSH T1F5B4018161548632D2994CFBC86973C80FBADD1B1B22E954607F3EA67C323899BF5347
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P O 1.doc
Verdict:
Malicious activity
Analysis date:
2021-07-07 14:54:56 UTC
Tags:
ole-embedded trojan loader
Link:
https://app.any.run/tasks/18270fc8-65ad-4919-baf6-a81fe756df7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170224/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.3268.8864.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7766d40d-65cb-41c6-9b30-17433e745cf1
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812976
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 12:39:17 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=onvgot5af6hdanoc5j6dngftnwyp5omaxa2sev4obrxcvkyf2drq._file
Verdict:
unknown
Similar samples:
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
NanoCore
13cbfcca93b6700d7a32d6db67417a27a6ab366a305cd54cc74d5172bb0e6d0f
NanoCore
261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c
NanoCore
4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d
NanoCore
4e084a7c4023a643e234158d6471d9dce991aa0f1d9a730c1f5e71c9fd42dbf0
NanoCore
8852c808f4beb15d37457e26d23a155e25b83ebb7c48dcf83d3c65f4871aa174
NanoCore
c213019d25cbc62e3e385f7f6f342ce2b7f80736169cbe95e4c40c05f74c9bff
NanoCore
c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67
NanoCore
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
NanoCore
dafee937bbe45fe3398e06d60f2177c42a20e41f9bc5c22dcadbf284cdf4fb75
NanoCore
+ 1 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210707-js5xr38gcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
luda.ydns.eu:5498
Unpacked files
SH256 hash:
6a7f421a3234c251d612c0aefab3cf56f1db1910865537635aae7137df3e35b0
MD5 hash:
3b1da3d8b42538ce1ff31b2a372d7b34
SHA1 hash:
677e083c401dd166321249c18a68a3a6262b4938
Link:
https://www.unpac.me/results/a8ae4bdb-512d-4733-9251-ff610e289e6c/
SH256 hash:
ca980864506e73cc21f81e2c6bd1b5c01157225eee5107dd7fab94946e74e7ff
MD5 hash:
3a83121afc01efe581c20c9af82c9aba
SHA1 hash:
424f40b20e43be0451d5a847ba66248be54eb35f
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/a8ae4bdb-512d-4733-9251-ff610e289e6c/
SH256 hash:
d8f827bb22b0645e1b8e653af22aa6dc205f538ddf87f44f357c0ef184e88fec
MD5 hash:
5924164a84827d8bee5d8653981508ab
SHA1 hash:
2662438b31843d121882f019fa5a860c7a3c192f
Link:
https://www.unpac.me/results/a8ae4bdb-512d-4733-9251-ff610e289e6c/
SH256 hash:
736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3
MD5 hash:
623413e919ae0a97a295205d7ecc016b
SHA1 hash:
4f78cdfe53205bcabdc1c2e6fe5b097d7c1c851d
Link:
https://www.unpac.me/results/a8ae4bdb-512d-4733-9251-ff610e289e6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1395138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170224/

Comments