MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9062ad9019224f0ec0bf6521c3100894604af55ff0124a53edf46224907823f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9062ad9019224f0ec0bf6521c3100894604af55ff0124a53edf46224907823f8
SHA3-384 hash: 98d965111f62db787d00487020621b02ddd3dcf4e3623aa7805915da76ca2eed0f79dc71823f53cb646e8bf43e609f20
SHA1 hash: 29dd733d1c8bb6ecec35a99f7be144ea59cd79f8
MD5 hash: fa70550a455ffc5650898ffae8804950
humanhash: quebec-lactose-lithium-juliet
File name:fa70550a455ffc5650898ffae8804950.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'006'592 bytes
First seen:2022-07-21 15:35:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lm1gez+d+rdEi9YjUMw4fs+RqCDuklMT4a0aIxEEVMcRSmtju4wtFuVv4Os:uFz+4dEvjdwd+HbltaIIcYmt64AGQOs
Threatray 6'988 similar samples on MalwareBazaar
TLSH T1492533B1352ADB97EF5EE7BFB5A19241237353589257C31EB6E2E00431513020E6BEE1
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
91.193.75.134:8282

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.193.75.134:8282 https://threatfox.abuse.ch/ioc/838998/

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293208/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17641.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d972648fbcdde36063947f/reports/10ec282b-129f-4e30-9c69-27c855e75fc1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37f2610c-d96b-405f-88fb-fa5c5a105ad1
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038714
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 671208 Sample: KFRM1aiqoj.exe Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 51 judge2020.ddns.net 2->51 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 12 other signatures 2->67 8 KFRM1aiqoj.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\RoamingbehaviorgraphkldYOHq.exe, PE32 8->37 dropped 39 C:\Users\...behaviorgraphkldYOHq.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpC48D.tmp, XML 8->41 dropped 43 C:\Users\user\AppData\...\KFRM1aiqoj.exe.log, ASCII 8->43 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Adds a directory exclusion to Windows Defender 8->71 14 KFRM1aiqoj.exe 1 9 8->14         started        19 powershell.exe 25 8->19         started        21 powershell.exe 24 8->21         started        23 schtasks.exe 1 8->23         started        25 schtasks.exe 12->25         started        27 dhcpmon.exe 12->27         started        signatures6 process7 dnsIp8 53 judge2020.ddns.net 91.193.75.134, 49768, 49779, 49830 DAVID_CRAIGGG Serbia 14->53 55 127.0.0.1 unknown unknown 14->55 57 192.168.2.1 unknown unknown 14->57 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->47 dropped 49 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->49 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->59 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9062ad9019224f0ec0bf6521c3100894604af55ff0124a53edf46224907823f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 07:08:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbrk3eazejhq5qf7muq4geaisrqev5k76ajeuu7n6rrcjedyep4a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
4969554ae58dff0a9d4dfa099c32f7ec0ed3af397bdacebe472aee8f0831898a
NanoCore
4c15ff20f2843dcf836d49111ef6c3edf7f5580846eac6acda7a75da62629b56
NanoCore
63f1b10c759ba99da98645bdc82e508012b7a6602945c991e42285d1e2ce7bf9
NanoCore
7618bf00136b85af624ec2d4b10f52aca8d61cab901499e1abecf0af43f5eb8d
NanoCore
838c8c2090fe5bda65dc44782f16ab7391afe32dc8e40d9e4ff478ff7b2876aa
NanoCore
8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2
NanoCore
905bae9d7271d32a90cf3f3d6d4eb37ffd1f1dd203e4fa37dde320b0c4bf7fab
NanoCore
+ 6'978 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220721-s1wkbaghdp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Unexpected DNS network traffic destination
NanoCore
Malware Config
C2 Extraction:
judge2020.ddns.net:8282
127.0.0.1:8282
Unpacked files
SH256 hash:
02aea2efd4770b30f55172144cc8797f56297ef9494e1c8cdae87b476db3c5c1
MD5 hash:
39cd1a76244272eb814be41c9d9de622
SHA1 hash:
d4d629b6ced492a96b75952c922b13c69a6c2d0d
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
SH256 hash:
47c6d49eb0c9274ee5e525344650e02e435c800761160b08af0ef55107b412ee
MD5 hash:
3a2ed03bd90bcf698f2531844134b344
SHA1 hash:
8423167f83c301f1a44bcbd8a07201362d83efd2
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
SH256 hash:
a283a8e42c92f9bf4a4c0c24f4b1990f954a738a481da66853ef1f646d631262
MD5 hash:
7c9d55aba9a38caa076958a4c7613812
SHA1 hash:
7ce55ab339a737cee0be7491e0e0173b17281fff
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
SH256 hash:
9062ad9019224f0ec0bf6521c3100894604af55ff0124a53edf46224907823f8
MD5 hash:
fa70550a455ffc5650898ffae8804950
SHA1 hash:
29dd733d1c8bb6ecec35a99f7be144ea59cd79f8
Link:
https://www.unpac.me/results/d2e398dc-5144-46a1-8f57-b622bace8c01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9062ad9019224f0ec0bf6521c3100894604af55ff0124a53edf46224907823f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293208/

Comments