MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7
SHA3-384 hash: 7eddd7c29833688b69bf77b1fa83b1858bffc7185ff7d8f2b3bbe8e8f567b90c3c7fc4d75d7c968f0b308dda36d15fc0
SHA1 hash: 958b605814a4eb74a2dd871579ec411ac068424f
MD5 hash: 7de5870b5ec0335ca31eb692f494ede1
humanhash: alpha-one-montana-speaker
File name:7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7
Download: download sample
Signature NanoCore
Create hunting rule
File size:932'736 bytes
First seen:2021-02-28 07:09:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 24576:f2O/Gl8aURosoJbYr5x6kYRSwmxhKbH3rUO46Gju:IURoEepSwmxUT3i7u
Threatray 1'683 similar samples on MalwareBazaar
TLSH 061523037AD84072DA6321356ABB3907F9BCD9781579F80CCB16151E7E72A83C52EB63
Reporter JAMESWT_WT
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:27:21 UTC
Tags:
autoit rat nanocore
Link:
https://app.any.run/tasks/84e298b5-875b-4b94-a9fb-d5a3dd56d33e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119808/
Detection(s):
Win.Trojan.Autoit-6870735-0
Create hunting rule

Win.Malware.Generic-7433444-0
Create hunting rule

SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Deleting a recently created file
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621141
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: NanoCore
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359562 Sample: ts4V1bzlX2 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 7 other signatures 2->40 8 ts4V1bzlX2.exe 59 2->8         started        11 nmn.exe 1 2->11         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\nmn.exe, PE32 8->28 dropped 13 nmn.exe 1 8->13         started        16 nmn.exe 11->16         started        process5 signatures6 52 Contains functionality to inject code into remote processes 13->52 18 nmn.exe 1 13->18         started        54 Writes to foreign memory regions 16->54 56 Allocates memory in foreign processes 16->56 58 Sample uses process hollowing technique 16->58 60 Injects a PE file into a foreign processes 16->60 21 RegSvcs.exe 3 16->21         started        process7 signatures8 42 Writes to foreign memory regions 18->42 44 Allocates memory in foreign processes 18->44 46 Sample uses process hollowing technique 18->46 48 Injects a PE file into a foreign processes 18->48 23 RegSvcs.exe 6 18->23         started        process9 dnsIp10 32 codamasaru00.duckdns.org 41.203.72.108, 35356 globacom-asNG Nigeria 23->32 30 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 23->30 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->50 file11 signatures12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 01:14:00 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7qjkebqeuvcd2cu34vxl4yomsk7a5xjtimdvuh5iitisnjbel3q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
15f0aac31d57cff82f66f71e05e8a186752b8d93ff94c0d1e7c88d11f0c0b55a
NanoCore
258856f05819789b47e0bed58b1df479976a355cd30b953b23f9e2f5d286578a
NanoCore
2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d
NanoCore
4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
NanoCore
644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407
NanoCore
6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276
NanoCore
db591a08743176655e567ddffcbbd79b9e2e31feadc1feb54a0200296a93d53d
NanoCore
e26e07749118e8284c28e50553c62bdbe327234b801ffdf2eedb8663444aa459
NanoCore
f3ac633354efc183e1705dd9e042d39b62208735f6f9e83534fb21c9f32b5d70
NanoCore
f4bf592fde78af7ed0b06166ac8265d7b65a2457b9a61f12c2e3a4fad641ac19
NanoCore
+ 1'673 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210228-zz95pyh1b2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
codamasaru00.duckdns.org:35356
Unpacked files
SH256 hash:
dab35291500a4bf9751b8228c03cd88959b7aa90870a6d990a8d1b3a486cbb9c
MD5 hash:
451ea63db388c2bfa9be2a1accf2163f
SHA1 hash:
b9d6b82e8535079c1e9576edd6f331de06eb528e
Link:
https://www.unpac.me/results/b333499f-e81b-4c1d-9bc1-625b1e9e7e55/
SH256 hash:
4be92bf390d1a6d9b30ec1838a3ce230e42f0c0a05f7efe128fa579ed3dad363
MD5 hash:
58214cc58b3b765c482b11523bd9feee
SHA1 hash:
e9615cb9b4846b8ac9a9c16663d43dd30986ef4b
Link:
https://www.unpac.me/results/b333499f-e81b-4c1d-9bc1-625b1e9e7e55/
SH256 hash:
7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7
MD5 hash:
7de5870b5ec0335ca31eb692f494ede1
SHA1 hash:
958b605814a4eb74a2dd871579ec411ac068424f
Link:
https://www.unpac.me/results/b333499f-e81b-4c1d-9bc1-625b1e9e7e55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119808/

Comments