MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9543093bc02b5d20ad4606f3ba21dc41d8c0da1dc56933dc78c88d78d883dd80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9543093bc02b5d20ad4606f3ba21dc41d8c0da1dc56933dc78c88d78d883dd80
SHA3-384 hash: 2d2c0990c5b17f3997bcc68bf40c9e963f935b0a1015f6398ed942c46257d336935955c64fc93e2567c48e11397c51a5
SHA1 hash: 9cfb537ca6cddc10675decf5aca59112c2ae225a
MD5 hash: c6875e531eb44f03050e5b30c1804464
humanhash: king-blue-nineteen-fifteen
File name:TBF-21-52100456SLIP.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:885'760 bytes
First seen:2021-04-21 09:17:01 UTC
Last seen:2021-04-21 09:56:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:gcsl2nMDDi2HladdHTRou1jG7RRRRR9K:gvlAMDnHlahou1kRRRRR4
Threatray 10 similar samples on MalwareBazaar
TLSH 8915CF2A7650A364D3EC0974D947A2620B746C5F5902E3636BF8BDB73FEE213C606136
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.222.57.152:4001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.222.57.152:4001 https://threatfox.abuse.ch/ioc/9369/

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/141965/
Detection(s):
SecuriteInfo.com.Malware.AI.617710290.3661.25463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9543093bc02b5d20ad4606f3ba21dc41d8c0da1dc56933dc78c88d78d883dd80/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 09:36:59 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=svbqso6afnosblkga3z3uio4ihmmbwq5yvuthxdyzcgxrwed3waa._file
Verdict:
unknown
Similar samples:
0533e896717fa4ff365579e940b16d3e0543ccd319f4cee76c9ab71999a669b6
NanoCore
0ef41dabaa6af07317dd45595f15625cb7517650bb13b365de0717d3cad26197
NanoCore
1782d596257cfdebb26faf0e26a0c153575e047f036f5aa2c37c341d5a4004e8
NanoCore
5d8da4f6c6c82b30357e74ffca2c3ca8b52832dea9f1ccf7c99df73eb2812c14
NanoCore
a46f0189a9016e0af96bebed0e62fad7bbd7e6223ea036c0e6d2da4f9a04a6cc
NanoCore
a9c5029521e6d748545aabc303731f7df321976c956a43c971428b123e3c849f
NanoCore
c20fca96d4e870403e4e1f58766271241fb60e0c8e81b1d778d1366c53d69162
NanoCore
d69345d398849a377103e09925aca369a6ee8fdaca08745d3bbb02aa79eb2861
NanoCore
ebdb5f9167c925da14a5783a022be63ac4daeeb7515692c7cd50c37a7851e7e4
NanoCore
f43c8dbac644d6e19bc88407b4d11870793af3ae00e8f359137db7e28044a89f
NanoCore
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210421-xsfmxjtq9j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.222.57.152:4001
127.0.0.1:4001
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/9543093bc02b5d20ad4606f3ba21dc41d8c0da1dc56933dc78c88d78d883dd80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/141965/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-21 10:21:36 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection