MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4
SHA3-384 hash:	6d2f56ac0dd9427d9877afffce4a922903821a5cc5ad3b40666bc891642cec3a768430e6943367e6391ca3ff2f697d59
SHA1 hash:	ee12d566775c2fcfe148fa253b440349f59b5551
MD5 hash:	200d60589b9b14f4a1b16fc2bfc64d24
humanhash:	carpet-minnesota-black-triple
File name:	nanoclient.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	358'912 bytes
First seen:	2020-10-01 06:39:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:KLV6Bta6dtJmakIM5jUog49IzQdBFvgiDUEszp9F1:KLV6BtpmkgNecB2EsX
Threatray	1'087 similar samples on MalwareBazaar
TLSH	7074D64D1325020BC99C6A3AF20E7F8A47604EBE7DC2E7EAF5893417AD723D5143356A
Reporter	Anonymous
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/67324/

Detection(s):

Win.Trojan.Nanocore-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Sending a UDP request

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/479034

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Uses dynamic DNS services

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-10-01 06:41:05 UTC

AV detection:

29 of 29 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ssoqbithdsxv263zz4s3cbtbwuaz37nhojwjcx4ikgrils3ragsa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1d5d33d83029cd0b64bd4171db3e6535c4f50d31cc585b6e2b10345121c346fc

NanoCore

3465a87f7c026e390a862f5d4b638745f80fa24a5ef94998e2f5c1818dd0bc15

NanoCore

4d0aea3c86fee5ae6722f98e65e622017f16725ede141d7ee95c20262080c61a

NanoCore

4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9

NanoCore

781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b

NanoCore

8aadc9eae1964c2fa5d3ba8f6816a239db391f4cfb38785367eee5f2923b5f9b

NanoCore

947187e8b9a694ec0481df4fce6b606d7eabf1805eb7e792f7dca22e8a792daa

NanoCore

d451e3e7766abda3a6406d3e52ed8d123daa52409bb7905a44694855fa923888

NanoCore

fa8b5da63665ba268ec6923aa0bd26662e9dea318d80a7ab659065724c94868a

NanoCore

+ 1'077 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore persistence

Link:

https://tria.ge/reports/201001-gkx8kfqpnn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

isiefinama.duckdns.org:2202

Unpacked files

SH256 hash:

949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4

MD5 hash:

200d60589b9b14f4a1b16fc2bfc64d24

SHA1 hash:

ee12d566775c2fcfe148fa253b440349f59b5551

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/e18ce635-6def-42ce-b6ad-83c830ec9d83/

Parent samples :

e3e2eb5f82a7580c067c4e4c41edc947a978a9e74ecc39e875fc3093d2c3cb66
949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/949d00a2671caf5d7b79cf25b10661b5019dfda7726c915f8851a285cb7101a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/