MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a84aa92f81ee3e9e694a8105b94a825147abf2504572a8fb3fb333d574bd33f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a84aa92f81ee3e9e694a8105b94a825147abf2504572a8fb3fb333d574bd33f
SHA3-384 hash: 34e0576cb117dd19edfaf96f13ea2c3a7bcce26a41a1014f1307fce47959a0c3ccce755b0776df94d028ab9acaf0e2a5
SHA1 hash: 275b5fe2add721d65ff29db7dc36d5501e3c9ad3
MD5 hash: 10d1dc044b4f546c7e1c29f40d364a77
humanhash: colorado-mexico-alanine-queen
File name:SecuriteInfo.com.Trojan.GenericKD.46387517.4377.1169
Download: download sample
Signature NanoCore
Create hunting rule
File size:208'896 bytes
First seen:2021-05-31 09:56:51 UTC
Last seen:2021-05-31 10:37:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1abc0dab2264c6ccb12f07d7e589e0ba (1 x GuLoader, 1 x NanoCore)
ssdeep 3072:5+tl5Nwfu2O2xdqJqSlWbLPz374eQBDplqLkgtLDebI5aj/pdmi:sBojbjjEeWDplqQgtubI54dm
Threatray 4'851 similar samples on MalwareBazaar
TLSH F614FC36BB09E72AF85193B03E41D1FB61363B3345574B07BB802B5AE4A52CB7DB0A15
Reporter SecuriteInfoCom
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Booking Confirmation.xlsx
Verdict:
Malicious activity
Analysis date:
2021-05-31 07:34:56 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader nanocore rat
Link:
https://app.any.run/tasks/42353a5e-e444-47cc-9161-50dabb076f7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163413/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46387517.4377.1169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794604
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427000 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 31/05/2021 Architecture: WINDOWS Score: 100 49 rnnfibi.hopto.org 2->49 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Potential malicious icon found 2->59 61 10 other signatures 2->61 9 SecuriteInfo.com.Trojan.GenericKD.46387517.4377.exe 2->9         started        12 dhcpmon.exe 4 2->12         started        14 RegAsm.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 signatures5 71 Writes to foreign memory regions 9->71 73 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->73 75 Tries to detect Any.run 9->75 77 2 other signatures 9->77 18 RegAsm.exe 1 21 9->18         started        23 RegAsm.exe 9->23         started        25 RegAsm.exe 9->25         started        27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        process6 dnsIp7 51 farmersschool.ge 91.212.213.18, 49731, 80 SERVGE-ASDatacenterandHostingProviderGE Georgia 18->51 53 rnnfibi.hopto.org 199.195.253.181, 49732, 49733, 49734 PONYNETUS United States 18->53 43 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp8700.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 63 Tries to detect Any.run 18->63 65 Hides threads from debuggers 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        37 conhost.exe 18->37         started        69 Uses schtasks.exe or at.exe to add and modify task schedules 23->69 file8 signatures9 process10 process11 39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a84aa92f81ee3e9e694a8105b94a825147abf2504572a8fb3fb333d574bd33f/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-30 03:42:36 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
NanoCore
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
NanoCore
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
NanoCore
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
NanoCore
97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f
NanoCore
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
NanoCore
b60440f67015b49577c8f2c61231ddd36c5d343373c3798bfc8cc5c2a1ce14f1
NanoCore
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
NanoCore
d4577b6598fbbf11cfa28b876e1bcb6eaaaa256a8a3f1e82a88ae561854da9ad
NanoCore
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
NanoCore
+ 4'841 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210531-dtpxf1lhd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://farmersschool.ge/x7_FaMuTlpyF149.binhttp://decosa.co.hu/x7_FaMuTlpyF149.bin
rnnfibi.hopto.org:54666
127.0.0.1:54666
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a84aa92f81ee3e9e694a8105b94a825147abf2504572a8fb3fb333d574bd33f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 7a84aa92f81ee3e9e694a8105b94a825147abf2504572a8fb3fb333d574bd33f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1306418/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163413/

Comments