MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2
SHA3-384 hash: 03ff1db4116e9379c7b9b38fbeef85b9c9f9fbbbce06a947039432d887dffb4bec1aa49385f5e4eb2a94287183576145
SHA1 hash: 40715f16e18df4f3fde566b4e343bafb177756d2
MD5 hash: 21ada287be8532f3f826d16a0724c2b4
humanhash: india-hawaii-romeo-violet
File name:SecuriteInfo.com.Trojan.Olock.1.14845.17272
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'155'072 bytes
First seen:2022-07-15 03:43:46 UTC
Last seen:2024-07-24 18:49:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:RBgI1DHDy65rWEy+uavk0E3RuvMRK7hia9Y8H:RBJ1SIregvMRK7Y4Y8
TLSH T19B359C4461774BE5C2744BF5C31D2D460FA12D4BA4EBDA396E82BCDB1370B8BA6009B7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 71d4ccf0ccb2f071 (1 x NanoCore, 1 x PureCrypter)
Reporter SecuriteInfoCom
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Olock.1.14845.17272
Verdict:
Malicious activity
Analysis date:
2022-07-15 05:25:09 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/d00bba32-e51a-4c5b-83d3-37da387fd6aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/289333/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.14845.17272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d0e2c38dab2096b99c766f/reports/c201807b-4747-44d9-b623-fcaf9818e716/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fcb08d9-51c4-40d8-9be6-107b3fe3c409
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1032218
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 664715 Sample: SecuriteInfo.com.Trojan.Olo... Startdate: 15/07/2022 Architecture: WINDOWS Score: 100 54 config.linkpc.net 2->54 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 10 other signatures 2->66 9 SecuriteInfo.com.Trojan.Olock.1.14845.exe 7 2->9         started        13 SecuriteInfo.com.Trojan.Olock.1.14845.exe 4 2->13         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\qDniZRyiij.exe, PE32 9->46 dropped 48 C:\Users\...\qDniZRyiij.exe:Zone.Identifier, ASCII 9->48 dropped 50 C:\Users\user\AppData\Local\...\tmpF4AF.tmp, XML 9->50 dropped 52 SecuriteInfo.com.T...ock.1.14845.exe.log, ASCII 9->52 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 9->68 70 Adds a directory exclusion to Windows Defender 9->70 72 Injects a PE file into a foreign processes 9->72 15 SecuriteInfo.com.Trojan.Olock.1.14845.exe 14 9->15         started        20 powershell.exe 25 9->20         started        22 schtasks.exe 1 9->22         started        24 SecuriteInfo.com.Trojan.Olock.1.14845.exe 9->24         started        26 powershell.exe 13->26         started        28 schtasks.exe 13->28         started        30 SecuriteInfo.com.Trojan.Olock.1.14845.exe 13->30         started        signatures6 process7 dnsIp8 56 config.linkpc.net 188.127.231.93, 3425, 49724, 49725 DHUBRU Russian Federation 15->56 44 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->44 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 32 schtasks.exe 1 15->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        file9 signatures10 process11 process12 42 conhost.exe 32->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-15 03:44:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ru3qlm7c6urvxedcrssoslsaayx6ib7exdqdl6pryz7ium7xflba._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220715-eajwyadcej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
suricata: ET MALWARE Possible NanoCore C2 60B
NanoCore
Malware Config
C2 Extraction:
config.linkpc.net:3425
Unpacked files
SH256 hash:
d3be370d7e129d75cbe192264b3a1f31cd1012b71d41b7dbd3f99f1900a8626b
MD5 hash:
099c689195d7a4a8301b0449985ad8b3
SHA1 hash:
6ca26f079cec55d07150e3ce5975f3d56a288bfe
Link:
https://www.unpac.me/results/ed27a1c4-2c2e-4f1f-ac7c-286b301ba968/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/ed27a1c4-2c2e-4f1f-ac7c-286b301ba968/
SH256 hash:
07a669badf12ee362884eca88c04ff18b102b9cf7b59653807fc451ad4e7b8fe
MD5 hash:
f6df51f6176af38265fd8933b3f473a7
SHA1 hash:
2c7549beab772727065d025417e42ad6840294b9
Link:
https://www.unpac.me/results/ed27a1c4-2c2e-4f1f-ac7c-286b301ba968/
SH256 hash:
6ffb38acdee73c6bbfb12327cfc3e3c1a750280b3475495eb168e589ab6646f6
MD5 hash:
05cd2df85e91d53bded122d40959b1d7
SHA1 hash:
91cb05fd681954ea12d39d1d440344259cde5ce7
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/ed27a1c4-2c2e-4f1f-ac7c-286b301ba968/
SH256 hash:
8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2
MD5 hash:
21ada287be8532f3f826d16a0724c2b4
SHA1 hash:
40715f16e18df4f3fde566b4e343bafb177756d2
Link:
https://www.unpac.me/results/ed27a1c4-2c2e-4f1f-ac7c-286b301ba968/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d3705b3e2f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/289333/

Comments