MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8022107099f9689b77a6e6792eca5472b216b53adb35421ce7ae18a4298807e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash:	8022107099f9689b77a6e6792eca5472b216b53adb35421ce7ae18a4298807e8
SHA3-384 hash:	2218a5717b140e17277360c699877cad791b99d28c21a853df5ee69692f653dafc18977fee3e8ca67a035f0f850d05ea
SHA1 hash:	6828ea00ed79e4ced9647b62cfcb87e616186185
MD5 hash:	f5442e95d69f7d3d206db4875a580fd8
humanhash:	fruit-mirror-nine-robin
File name:	cp500 payment deposit 2021.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	884'736 bytes
First seen:	2021-05-31 11:11:06 UTC
Last seen:	2021-05-31 12:16:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:LEUhy6N9whqBoUHLNWK7mZJ6ypF22wBi8Md8RTAOhE0GAf2puLrMzrM6SA5oDwjE:ihqNNWBnVwBiVyAT0LecLRcjLc4G
Threatray	2'503 similar samples on MalwareBazaar
TLSH	2D15E02232DD9BD5C33D83F98D90F46603F4A4EBE722DE3D2E8590994562740CA726BD
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
194.5.97.184:8134

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.5.97.184:8134	https://threatfox.abuse.ch/ioc/67839/

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cp500 payment deposit 2021.exe

Verdict:

Malicious activity

Analysis date:

2021-05-31 11:13:12 UTC

Tags:

trojan nanocore rat

Link:

https://app.any.run/tasks/6e996b69-fa42-4bbe-bb5c-16082aebe477

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/163432/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.10580.19959.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/794647

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/8022107099f9689b77a6e6792eca5472b216b53adb35421ce7ae18a4298807e8/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-05-31 11:01:03 UTC

AV detection:

3 of 45 (6.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qarba4ez7fujw55g4z4s5ssuokzbnnj23m2uehhhvymkikmia7ua._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891

NanoCore

41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120

NanoCore

4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b

NanoCore

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

NanoCore

69fa6ebff614598a1243cb00bc9a7c69e60fca3c3fd93da4157c418d202f1542

NanoCore

9630854693b8e9d6be3490068ba7c5797232578c1366480c17546079f880e19b

NanoCore

c52ddeac61f16fb23ff925617fba081392b7aabe47c82c765513755d38e62cde

NanoCore

d6dd125366422144fd21e2281699aeb71fddd1680d2b73c968558a3e68408f60

NanoCore

d70c3b1461ede99c050cd585bed7e5dc5ec536ca7b1d4c9a2461408fbefd5849

NanoCore

+ 2'493 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210531-pwrgsa996j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

kalyppo.ddns.net:8134
kalyppo2.ddns.net:8134

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8022107099f9689b77a6e6792eca5472b216b53adb35421ce7ae18a4298807e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163432/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample