MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b
SHA3-384 hash: 50908703695d960d41119650d965b4832ac05d46092ff389729d6f74ad781d79752afaf427cc474dee93d956ca379410
SHA1 hash: ae0de88f43b79f629c38c6990e9ba563ab35d532
MD5 hash: ce3d2c6f07c0f14cf7ffcb8af7d7fa38
humanhash: one-fillet-leopard-colorado
File name:ce3d2c6f07c0f14cf7ffcb8af7d7fa38.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:723'339 bytes
First seen:2021-04-07 16:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:IAPLSbA+7FZRyUakmmN681VueMiXbGQxS6MgCAZFu2KnU5rB6yxv82wNH7e6c:ZuF7yUakmmNWnuPOTgOnU50882Ge6c
Threatray 749 similar samples on MalwareBazaar
TLSH 1FF4687375A48783D04145F83941CBBA61BE7E014AE0A14FFEC13BFE69B93C395251AA
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
40.71.91.165:8092

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
40.71.91.165:8092 https://threatfox.abuse.ch/ioc/7194/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ce3d2c6f07c0f14cf7ffcb8af7d7fa38.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 16:52:27 UTC
Tags:
installer rat nanocore trojan
Link:
https://app.any.run/tasks/9788c693-bfc3-46b0-8539-b863944c30a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132900/
Detection(s):
Win.Trojan.Generic-9848208-0
Create hunting rule

Win.Trojan.Spynoon-9848587-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
Creating a file in the Program Files subdirectories
Creating a file
Launching a process
Deleting a recently created file
DNS request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668989
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383423 Sample: zr0evNqvkC.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 60 backu4734.duckdns.org 2->60 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 13 other signatures 2->72 9 zr0evNqvkC.exe 1 13 2->9         started        13 zr0evNqvkC.exe 12 2->13         started        15 dhcpmon.exe 12 2->15         started        17 dhcpmon.exe 12 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\...\Adobe.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 9->52 dropped 76 Detected unpacking (changes PE section rights) 9->76 78 Detected unpacking (creates a PE file in dynamic memory) 9->78 80 Detected unpacking (overwrites its own PE header) 9->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 9->82 19 zr0evNqvkC.exe 1 15 9->19         started        54 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 13->54 dropped 84 Maps a DLL or memory area into another process 13->84 24 zr0evNqvkC.exe 3 13->24         started        56 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 15->56 dropped 26 dhcpmon.exe 3 15->26         started        58 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 17->58 dropped 28 dhcpmon.exe 2 17->28         started        signatures6 process7 dnsIp8 62 backu4734.duckdns.org 40.71.91.165, 49737, 49739, 49745 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->62 64 192.168.2.1 unknown unknown 19->64 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Roaming\...\run.dat, data 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE5B6.tmp, XML 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        46 C:\Users\user\AppData\...\zr0evNqvkC.exe.log, ASCII 24->46 dropped 48 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 26->48 dropped file9 signatures10 process11 process12 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 10:28:34 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3gkzqkybdq4ekfpc5er4pfzayrya7z3lpbyfblyz6nihj7ysbfq._file
Verdict:
suspicious
Similar samples:
4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c
NanoCore
61d71ab4e23eba8055de07d4283a6e2f70e00fbb3c4fdeaf8ae8258fafe340f7
NanoCore
791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c
NanoCore
8875bcc3b28c05466bf313def566f00467cfdc7c72626b445f10169943294180
NanoCore
95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
NanoCore
9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5
NanoCore
bf645fad6cb23a9422e58a642b223a5d6a2dfc616c7480dfdd02393838f399b5
NanoCore
c67a752275a99a0ba74a93e5a715a591ad9db9eb010759cdf41b1e7df980e84d
NanoCore
cf9895b3086ece4cf7fb15d831b7257578897021f8996cbabcbdd14f181941fa
NanoCore
da1f1c571091e69d504819a85f0a8e1cd35e45f4a1d863320b51f0ff39817073
NanoCore
+ 739 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210407-w2h5bjesyx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
backu4734.duckdns.org:8092
Unpacked files
SH256 hash:
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
MD5 hash:
eef9e469e8a30717974499f277d97e2a
SHA1 hash:
2d33c25984ebd9116beeb55cdde4c5c86c023e5d
Link:
https://www.unpac.me/results/2489fa53-b779-4d9a-873d-f4ff451b0ad1/
SH256 hash:
0cc5e312ea0d1392a5dcd3e2e4eb908b0cf5de8f8d4489977cc63dd5dad1b368
MD5 hash:
56f8e34bc702f2ae5d4de0e0a5e2ae34
SHA1 hash:
652477501cb2ac86642f0ff400575713ec39af4f
Link:
https://www.unpac.me/results/2489fa53-b779-4d9a-873d-f4ff451b0ad1/
SH256 hash:
76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b
MD5 hash:
ce3d2c6f07c0f14cf7ffcb8af7d7fa38
SHA1 hash:
ae0de88f43b79f629c38c6990e9ba563ab35d532
Link:
https://www.unpac.me/results/2489fa53-b779-4d9a-873d-f4ff451b0ad1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132900/

Comments