MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d
SHA3-384 hash:	2ddef5edc677c18a788e685f7bb1d6df6f77dd8cd667ba9526df22f0eeb27fbc26894bd255dcf3d2bc0028b89e2a9eba
SHA1 hash:	5de819c63b446cf675c69376c9d7ec478dea9060
MD5 hash:	ce724d85d4615439ff27f5573c9aaa8f
humanhash:	thirteen-batman-autumn-robin
File name:	ORDER PMX-PT-2001 STOCK+NOVO.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	927'232 bytes
First seen:	2020-11-26 08:48:44 UTC
Last seen:	2020-11-26 10:46:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:dksfO0jHdT5zPvEfeVJQ34PjKYrFTm+UVYFXXrFX9rhhq3UwZtMsf05VMrWbugS8:ioZHR5LvE2VJQUj7ElUFXa
Threatray	1'353 similar samples on MalwareBazaar
TLSH	01155B5B3358B3DECA5AADF1D8240C7ABA50A962431FE24BCDD34C9A9E0D456CF341E1
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

HELO: [45.15.143.160]
Sending IP: 45.15.143.160
From: Veronica Martin <veronica.martin@vitrabypavilion.com>
Subject: PAVILION - ORDER PMX-PT-2001 STOCK+NOVO
Attachment: ORDER PMX-PT-2001 STOCK+NOVO.zip (contains "ORDER PMX-PT-2001 STOCK+NOVO.exe")

NanoCore RAT C2:
nanopc.linkpc.net:40700

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/105628/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Connection attempt

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Gathering data

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/547954

Signature

.NET source code contains potential unpacker

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2020-11-26 08:49:06 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ou2kj75y56branefxthj2unsv6jxgcu5k6hcxc27p72hhqhybewq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

41bec111ff242fd9555f0ab0f6516ee25a4609dc6be77f174e5e6bb7c77fa03a

NanoCore

59e93dfe8fd2150d34ed6d3c2124a2f77a074b0d548ff2668944ca3d3b2e15d8

NanoCore

62239c71860b849f45e1273d3bfd670f0d93d8f267ff4bac59a96e91d21944b7

NanoCore

644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407

NanoCore

654a06ec25677a527417902e8c2bec0b87d70c8503d855bcaa346afcd342f9a2

NanoCore

6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3

NanoCore

90141bd6f0215103fb95009ef0336cbd17aa2e4e41ffa3aa2171f939234c0e32

NanoCore

adb1948d6b4d965ee35ea8107b1128a9075d3548b61a72cfb35d0893d1f4ffaf

NanoCore

b5c0a89f74b62e5383ce300111541a706ac618a73a7b972df306a8c02f3dfd55

NanoCore

+ 1'343 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201126-yyq8tptbte/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

185.157.162.81:40700
nanopc.linkpc.net:40700

Unpacked files

SH256 hash:

0f891577406d4d4be813e3d5f4e6942a4d8a25b78abd36fbba814918a5379093

MD5 hash:

3b3d9f0b93e08f0a5853c653b9032f9b

SHA1 hash:

caeae09e1d70ac4b14d70224bcf1cf2eadd37163

Link:

https://www.unpac.me/results/f67c8c28-5050-4d74-9062-777b08a7df9e/

SH256 hash:

a3a008b87ded765ed76c9bedd06dbae5f62edd573da15d376cb3fb91b4bd7f09

MD5 hash:

5ae25f51e2881f74cc9e057ef48c02a6

SHA1 hash:

a8e9e48e0e788e76ce01e923946bfb0c2098b39c

Link:

https://www.unpac.me/results/f67c8c28-5050-4d74-9062-777b08a7df9e/

SH256 hash:

e287d2b17ae9a2434088173cb0e91ce96991185e91502a09f05981faf158f21b

MD5 hash:

8d92348999b51cde5164208c0d5f7ebc

SHA1 hash:

892dbc6c18dd1d0a85a851461b838c6e7ebb99bd

Link:

https://www.unpac.me/results/f67c8c28-5050-4d74-9062-777b08a7df9e/

SH256 hash:

a80df1244f5bd5d2325ffd8a8bfefa68ba776d96c7c1a9f60cdf5308932f228b

MD5 hash:

107d615f339d3c0b9321c8b3522c96de

SHA1 hash:

6a9f916041173bbbf4f265a754134deafc9aa217

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/f67c8c28-5050-4d74-9062-777b08a7df9e/

Parent samples :

7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d
2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
b93e5081bef10f47b8e037da155852225e10cb46b0bdbcab6d57a68364cb98da
900a45ab72e1145d8bbaa09fbb68c9d536782c4877ae844270f768a25bf1fc9f
b3e06e10d739a4e4c6207dba909e57c264994c09543a5101fe52da860e8a09a9

SH256 hash:

7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d

MD5 hash:

ce724d85d4615439ff27f5573c9aaa8f

SHA1 hash:

5de819c63b446cf675c69376c9d7ec478dea9060

Link:

https://www.unpac.me/results/f67c8c28-5050-4d74-9062-777b08a7df9e/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/