MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
SHA3-384 hash: 37a3926607c2cd3ce6d3fd3a4a5c2b73c217f43718f0c79931f71198f04ed74efa5a81d87ac7da8b784ecc1d7ae02f44
SHA1 hash: f8a1f97a7f45352da7fe8bf8f64f58f048c05565
MD5 hash: 8996db32c4a4ded97f38eccaa6ddaa97
humanhash: paris-lactose-louisiana-july
File name:GMT_RFQ_20201910,pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:867'840 bytes
First seen:2020-10-19 07:22:39 UTC
Last seen:2020-10-19 08:24:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:z5ylZPMIPAw2wv/5B1zbq5TZSMpRH1ECk:z5eZPaw2b5Fl
Threatray 1'225 similar samples on MalwareBazaar
TLSH 9005AE251A845F94E13D4333A4A4148093F5BD03D335CA6F7DE93A4E5EB1FA6E22378A
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.frofr-atibu.com
Sending IP: 45.95.169.149
From: benyu <benyu@gmt.com.my>
Subject: RFQ 20201019
Attachment: GMT_RFQ_20201910,pdf.zip (contains "GMT_RFQ_20201910,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Backdoor.Remcos.25081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494986
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299959 Sample: GMT_RFQ_20201910,pdf.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 13 other signatures 2->49 8 GMT_RFQ_20201910,pdf.exe 7 2->8         started        12 MSBuild.exe 2 2->12         started        process3 file4 29 C:\Users\user\AppData\...\XNESvLOLJCqph.exe, PE32 8->29 dropped 31 C:\...\XNESvLOLJCqph.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmpCB9B.tmp, XML 8->33 dropped 35 C:\Users\...behaviorgraphMT_RFQ_20201910,pdf.exe.log, ASCII 8->35 dropped 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 14 MSBuild.exe 12 8->14         started        19 schtasks.exe 1 8->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 39 billionaire.ddns.net 91.193.75.246, 3734, 49720 DAVID_CRAIGGG Serbia 14->39 37 C:\Users\user\AppData\Roaming\...\run.dat, SysEx 14->37 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 03:55:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgjnkyhityrv6rzuz5fnr6r2tki2xv7lqo2ytrguohx4lvrwd4oq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02a438010c995c0587226655a3e2420af6d60c1f09696753c5ef28c7b72c1f4d
NanoCore
036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18
NanoCore
11e8dbf88b15aa6f09d5f7d9fffd3f333ec9a84b6bb9b9bb8c69dad6f5890603
NanoCore
1ddce9c11a9b35eb6d55006504b47ab27bcef3edc7747c49d4573712a5a3b275
NanoCore
24683ff5c436b2b56e96268ba4c591e8f80e9995623a0a1f6e6c7adf5bd2a62c
NanoCore
24bbbef09b9e58d6da0fe8ae7dbfbc093dc5287cb26dc98e948684a1fc442642
NanoCore
3cb221973d52d12fc900f37496a9c5f77b30da63886a0f7d54111982c00e872b
NanoCore
56a37f303bc905ace197941dcc0519f3880baffe10c6d3ecfc80bbff1aae9059
NanoCore
5fd2a9f7370fb2395eba599c52c1a8297d2e5074dea8122e181a3be762b0fac2
NanoCore
ccf661061226a4fe358b46c6fab8a29686323e41aa50fe06c06963c9939a2669
NanoCore
+ 1'215 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/201019-sqfkdhcvbs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
billionaire.ddns.net:3734
Unpacked files
SH256 hash:
8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
MD5 hash:
8996db32c4a4ded97f38eccaa6ddaa97
SHA1 hash:
f8a1f97a7f45352da7fe8bf8f64f58f048c05565
Link:
https://www.unpac.me/results/702c1a6c-84a4-48ea-8f4d-7282d96fe5f1/
SH256 hash:
cc8869a60c5a4c361bd3a287175b62b018d4b381e95982d995f89cbf5ef545c8
MD5 hash:
21e4ca97501affb57d6f132da62dadb7
SHA1 hash:
1ba7b0926b2d042e2e51267273b9592011457ebd
Link:
https://www.unpac.me/results/702c1a6c-84a4-48ea-8f4d-7282d96fe5f1/
SH256 hash:
7add54c57ebead1ced0fdd86f1e8fbfb34d9c3f42ed0a8f1dd01c2d7fbdd22df
MD5 hash:
c92b6d01725e94682d4d1f8722d08f90
SHA1 hash:
22fedb39b80a6909343bcdf5ba846e8435841155
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/702c1a6c-84a4-48ea-8f4d-7282d96fe5f1/
Parent samples :
4132de9c0b4c5c604bed2261b999848573b44a5208482a4847c9b6b2f2ff729b
1c42bd094eeb6df10d17cb2fc16a7e167e38ee01d273f7c31ddf4775e015d59c
02a438010c995c0587226655a3e2420af6d60c1f09696753c5ef28c7b72c1f4d
a85f88d35b117dc6b63fc3ab6f9e6ca21a605032ddaf343f1ad6b32b86aa344e
8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
ec230920e758500130af04a1e4231e62ffcbdfab7e548c865e84fb037ad42eb0
9a010009db0cef15b26b8c0698dcabc904aff124a484334bbba646c6f0a3084e
509de021147bf9903bae027143b68b38d92901161454cd8058ad56e39fcd143b
f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5
ea8ea37e535102a446a8c2f88ef6a3c9277e996a32144449cde729bda80e16f2
SH256 hash:
5c7244c2404b1ac94b30b6f2db8ce8ed8b8bdabd7185f85e47aba4b6eb2bcc12
MD5 hash:
77625253c7b8e2a49ebc2b4d0e75253c
SHA1 hash:
2f67c09ebd7f511a7da30c6b5144bd37517d9b03
Link:
https://www.unpac.me/results/702c1a6c-84a4-48ea-8f4d-7282d96fe5f1/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/702c1a6c-84a4-48ea-8f4d-7282d96fe5f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 6df478ac55831f500c983ce47a640fccf0c9b2ba4e4ac6cb8518439ca4235fd6

NanoCore

Executable exe 8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d

(this sample)

  
Dropped by
MD5 1962750dc9fda2051e2e9a72bb57d65a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72777/
  
Dropped by
SHA256 6df478ac55831f500c983ce47a640fccf0c9b2ba4e4ac6cb8518439ca4235fd6

Comments