MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7824efe18fb422bf6ddc22ced42e3d095e04a0fff127a835104b9f2f8c49ac10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 8 File information Yara 5 Comments

SHA256 hash: 7824efe18fb422bf6ddc22ced42e3d095e04a0fff127a835104b9f2f8c49ac10
SHA3-384 hash: 654206aa793057bdb14ebdb12d81813d7468ec793bfb9009f2edc16452c23956be02aaeeb465152ec0d3343eb7b2b386
SHA1 hash: 7ba8814442b40d0da01d7308117d4b9e481e7d3b
MD5 hash: 1624aa120c92768bf01124abe519761a
humanhash: white-moon-foxtrot-montana
File name:Chqe3zQa.exe
Download: download sample
Signature NanoCore
File size:214'528 bytes
First seen:2020-08-01 13:46:00 UTC
Last seen:2020-08-01 15:50:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:ALV6Bta6dtJmakIM5BWwKfmX3++XPey7S:ALV6BtpmkA73X3+KPv7S
TLSH 8924C01677A9492FE2DE8679601252438379C2E3E8C3F3EF18D865B68F667E506070D3
Reporter @viql
Tags:NanoCore


Twitter
@viql
nanocore via https://pastebin.com/raw/Chqe3zQa

Intelligence


File Origin
# of uploads :
3
# of downloads :
47
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection(s):
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Status:
Malicious
First seen:
2020-08-01 13:47:04 UTC
AV detection:
31 of 31 (100.00%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Checks whether UAC is enabled
NanoCore

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments