MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
SHA3-384 hash: fc1fabc67d8ee769b8da95eb6f754150a8eb71c4bf0fe9c6bc40550af415e80d06e05b480deeaad80c0391ce8b1f3276
SHA1 hash: a1f8353e9bebbc46d06d5f31fab243bc856f16fe
MD5 hash: 32708c45ed7207af3b3be4d9312a76c4
humanhash: gee-lamp-chicken-quebec
File name:Oct Invoices 8984.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'196'544 bytes
First seen:2020-10-20 08:19:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:a4YC1Iz0ikGdQuYKDnTLjEw3XPAAHq7F51dvqA+mH:a4O0LGdsI/53XbK7Fpq
Threatray 1'582 similar samples on MalwareBazaar
TLSH C9457DB27C92587ECA6B077550A985C1FABA16C73FA48B0D71AF430C0F11A1BEB53257
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73323/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.20851.31797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Unauthorized injection to a recently created process
Launching a process
Result
Threat name:
Nanocore Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497272
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300812 Sample: Oct Invoices 8984.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 47 3.tcp.ngrok.io 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 17 other signatures 2->67 10 Oct Invoices 8984.exe 7 2->10         started        14 Client-built.exe 2->14         started        16 dhcpmon.exe 2->16         started        signatures3 process4 file5 41 C:\Users\user\...\Oct Invoices 8984.exe.log, ASCII 10->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\Xxl.dll, PE32 10->43 dropped 45 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 10->45 dropped 77 Injects a PE file into a foreign processes 10->77 18 Oct Invoices 8984.exe 5 10->18         started        signatures6 process7 file8 33 C:\Users\user\AppData\...\Client-built.exe, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\Temp\Bin.exe, PE32 18->35 dropped 21 Client-built.exe 15 4 18->21         started        25 Bin.exe 1 10 18->25         started        process9 dnsIp10 49 3.131.207.170, 20027, 22918, 49749 AMAZON-02US United States 21->49 51 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 21->51 69 Antivirus detection for dropped file 21->69 71 Multi AV Scanner detection for dropped file 21->71 73 Machine Learning detection for dropped file 21->73 75 2 other signatures 21->75 28 schtasks.exe 21->28         started        53 3.tcp.ngrok.io 3.129.187.220, 20027, 22918, 49742 AMAZON-02US United States 25->53 55 3.22.53.161, 20027, 49747 AMAZON-02US United States 25->55 57 3.23.182.29, 20027, 49744, 49753 AMAZON-02US United States 25->57 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 25->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, data 25->39 dropped file11 signatures12 process13 dnsIp14 59 1.2.3.4 CLOUDFLARENETUS Australia 28->59 31 conhost.exe 28->31         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 05:39:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxgl335pw72llyvfaxjwqgadsqfi7j5fzlqg5zlagyajwqstywwa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2801e23864a2d65490e0ef7663d0d0e4292242f84d8368f0cdeefa868c375521
NanoCore
572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
NanoCore
6f8b5cad56d107434291b260c5483479d0ac1d02498d5bfad7468a02dc7fc19d
NanoCore
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
NanoCore
9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e
NanoCore
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
NanoCore
c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01
NanoCore
d4d035a66f0558130f340ab8de3375333d74dba6fec5541c25cc56da77e13042
NanoCore
dca205ee15b1128bf97fa8660ee3240f4283109cd8e4d4334c394766449b6e15
NanoCore
fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
NanoCore
+ 1'572 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
trojan spyware family:quasar persistence evasion keylogger stealer family:nanocore
Link:
https://tria.ge/reports/201020-s2ambnajwj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
NanoCore
Quasar RAT
Malware Config
C2 Extraction:
3.tcp.ngrok.io:20027
Unpacked files
SH256 hash:
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
MD5 hash:
32708c45ed7207af3b3be4d9312a76c4
SHA1 hash:
a1f8353e9bebbc46d06d5f31fab243bc856f16fe
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
SH256 hash:
e0becb3532bd89ede90dc881735c824e66df23a639a21ecebdddc20b93e69da3
MD5 hash:
407ec810e825f2dfb808723bd5aaa372
SHA1 hash:
5497c6a174100ded672ddb76013d97bb806fe455
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
SH256 hash:
167244edc3b3bbc8f7b2994c5548a220e8dc09a432f50ec5b27f18a5da258260
MD5 hash:
6ee25230e388af4f208984dc0584338e
SHA1 hash:
ae1890a48556b126c41652336b7079d6a84733c3
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
SH256 hash:
a0596d74a7e2fa6393fc7dcb00e45f025c8008b5e22fce97358b5bc08703bd05
MD5 hash:
5b9c488b90132a2d1685aa9db6ed3394
SHA1 hash:
bf6041126c1ac5b6d42a5423304a4ea970798617
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
SH256 hash:
f86c49d95f6a57010a0048b0ff1f054de35e581e3b72a276fc81838ffd2f2f73
MD5 hash:
8da5165be6c5e84fc4a2de48fc325194
SHA1 hash:
d4760184de5612b674664c31d4fb66df3063b81f
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
Parent samples :
572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
dca205ee15b1128bf97fa8660ee3240f4283109cd8e4d4334c394766449b6e15
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
SH256 hash:
30140c3bf5874d7d184b15513016f9de1524ae95a5efe9a1cb15bad6d6936d64
MD5 hash:
03847d82611bc6461cbb99ca768828f1
SHA1 hash:
39859a3fd3326520dfd1ed10456bb227933a8871
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/24b379f5-3ea7-46f5-93fb-976fb88c02ed/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73323/

Comments