MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc
SHA3-384 hash:	fe2a1fffffcffafd594ac94cf734da894da005ba85ad58ccbbbc617c4481c9c67b2e765e23f07e60e86c8c0a19009fb6
SHA1 hash:	57fb03491b97f9d8522337b53c892534450de20b
MD5 hash:	4bffc5a866da1a772c57d78cdc1e5fdf
humanhash:	carbon-princess-kentucky-december
File name:	RFQ23789.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	909'312 bytes
First seen:	2022-07-18 16:50:45 UTC
Last seen:	2022-07-18 17:39:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:elhLuyyhirWEr6WmdYE84pFKakMVT7RUeI9Y:WLuyygrtmp84RrVT7RUZY
Threatray	6'040 similar samples on MalwareBazaar
TLSH	T1F515223772204A9AC06D5BB1D1324CE203716DC6A613FF261DC5BAE72933B549A0EBD7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/291651/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1449.26066.22863.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

fareit packed

Link:

https://www.filescan.io/uploads/62d58fb600d6e9040b569a18/reports/64bfe1be-8e0c-4666-8ac3-c52999330e41/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/893c8d21-ae99-459f-ba39-3a9e1755bae4

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1035977

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-15 09:36:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sunladoily7il54fuu5wx2j246futqvdhrh2aadas43svfgllhoa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

0e519e0e3a0e92f7d7dc9b39de8d22b11acdee0d4413d2d9196b0eb8ef74e69f

NanoCore

1fc4a0644a7d34526e2686b205e4d599d90e31c62f702468f26afffbadaff7c3

NanoCore

4c15ff20f2843dcf836d49111ef6c3edf7f5580846eac6acda7a75da62629b56

NanoCore

63f1b10c759ba99da98645bdc82e508012b7a6602945c991e42285d1e2ce7bf9

NanoCore

7618bf00136b85af624ec2d4b10f52aca8d61cab901499e1abecf0af43f5eb8d

NanoCore

838c8c2090fe5bda65dc44782f16ab7391afe32dc8e40d9e4ff478ff7b2876aa

NanoCore

8d3705b3e2f5235b90628ca4e92e40062fe407e4b8e035f9f1c67e8a33f72ac2

NanoCore

905bae9d7271d32a90cf3f3d6d4eb37ffd1f1dd203e4fa37dde320b0c4bf7fab

NanoCore

f464ccabbb4252d3064034d5311d59f7e2525879cf9b6bf4b82ed27f2600dd90

NanoCore

+ 6'030 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220718-vcs6dsacf6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Checks computer location settings

NanoCore

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

derananocore.ddns.net:1187
194.87.84.135:1187

Unpacked files

SH256 hash:

4aa203c4c61c8c947f9b817319c45b3d49634791983647b2d8cfcd4dd86354eb

MD5 hash:

4904467cfd10eb3bc29548ba118e0cb9

SHA1 hash:

fe735fdb64b6508790115839aabf41f83fbfff31

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

SH256 hash:

fe46c824dbcff5537b7388ebc09dd8852a7fe8f3bc690ae2da245e0e2b01cb2e

MD5 hash:

8f921edbd8b92a84a7bcb306ebb1c86c

SHA1 hash:

a286d0abfb62a21a7e7ba9d30028d212cd107947

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

Parent samples :

838c8c2090fe5bda65dc44782f16ab7391afe32dc8e40d9e4ff478ff7b2876aa
55574f282bf7ca6ec118c1b23c25c52ee8cef783e03505f53ec3f45b0d9cc5be
4c15ff20f2843dcf836d49111ef6c3edf7f5580846eac6acda7a75da62629b56
951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc
8c0ff43e408c9ac58abaa4d75ec70945ae3cfcdf34d97da684f0723de8b521a1
d58c596621fcf7fe0514c4272a3567f427ab4392ce44febbb887b1bdecbe74fe
2b8929b1aa46a540455e96eca861b13e2915532c84baf7a416d40d6765fa94c0
9c997bb5941de96a571243b7621bf577514cdc9818eb79b1116601fc31f3a17b
234c80363a755782bf545da03646b88427f2ea8d3b03a052ef0cdc350984292d
7be1ebef9b8c89dfc78deeacec9dc9e919ad50a10db4a20d14a53e370a6fdef4
930bf3214ee99887f3a7f6396d1ee98ee9f127d557de53740447044c1def49c8
9a1142a3ac9fd836fd21c7f71026cb5714c8fe5d4c12e702b733f2b0350ed6e7
8eb1487d6baf8f4e54d3a40ae27965dd13ccb2cdc2eb02f8fe46a556fbe3af45
7c6d7c9a34ec05f4b0ee92eda6c98b49a40976e48528059237e4242b9533a1e1
17a0e81b66dbeee4b2774d04039fbe7768072a7eee3be560fd497f82e8e7ea3b
e68e26013f6d2a9abcb85314e4c310e738409c7da0af83134437b606a6d7beb6

SH256 hash:

883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15

MD5 hash:

ecb3f27eb8279c51608c8ea8f8050655

SHA1 hash:

82385d75444ab5fccacf37e2746c7dce73faa7f3

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

SH256 hash:

07a669badf12ee362884eca88c04ff18b102b9cf7b59653807fc451ad4e7b8fe

MD5 hash:

f6df51f6176af38265fd8933b3f473a7

SHA1 hash:

2c7549beab772727065d025417e42ad6840294b9

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

SH256 hash:

61cd7350cd0ebc935429937b8d86a8128fb8a684536c900422ad4ec9a275498a

MD5 hash:

6fb9f17408ae32f50bad5669befd0f7e

SHA1 hash:

2bdf9ee76eaa3aa9370364316dbd70056695e16e

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

SH256 hash:

951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc

MD5 hash:

4bffc5a866da1a772c57d78cdc1e5fdf

SHA1 hash:

57fb03491b97f9d8522337b53c892534450de20b

Link:

https://www.unpac.me/results/17a8dee6-55c4-45af-896d-0559b7163b41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 951ab00dc85e3e85f785a53b6be93ae78b49c2a33c4fa0006097372a94cb59dc

(this sample)

Dropped by

nanocore

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/291651/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample