MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
SHA3-384 hash: 7a3d276530e9a46c23d5549b50f12e1c2c783d7583009a5a9897765a115f1a6ab6f2ca745851079a0f8b1f28f1729242
SHA1 hash: 8fb59154fe08e09b2e9c2f817157b5bc0ccf1dae
MD5 hash: 5d59200d61ba34e07e26132f5acd9619
humanhash: violet-pip-four-video
File name:5D59200D61BA34E07E26132F5ACD9619.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:700'444 bytes
First seen:2021-04-04 21:25:20 UTC
Last seen:2021-04-04 21:38:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:vqjIDb42WGNpoisfWzTj4+DP0hotN17VlKWhS6Mg1KWozL4ayL:ao42fpguzTj4ThotdlKOMxWozkTL
Threatray 707 similar samples on MalwareBazaar
TLSH E0E4E0633D4094EBE78980BB3A694799C6ADBC1695C5DA837F4C7FCD2631AB37601803
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
104.37.1.32:7632

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.37.1.32:7632 https://threatfox.abuse.ch/ioc/5526/

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5D59200D61BA34E07E26132F5ACD9619.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 21:26:47 UTC
Tags:
rat nanocore trojan
Link:
https://app.any.run/tasks/912307f2-254c-4e69-ae74-15ca66f456c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132118/
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.23.8136.12224.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b047e996-7231-4566-af78-4b282cecc5d5
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665663
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-02 11:57:16 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxyrpxvl6sxlgzacam5hzi26of7xumoix6jtblf7re2pwsb4lu7a._file
Verdict:
suspicious
Similar samples:
4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c
NanoCore
52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63
NanoCore
61d71ab4e23eba8055de07d4283a6e2f70e00fbb3c4fdeaf8ae8258fafe340f7
NanoCore
791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c
NanoCore
79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222
NanoCore
bf645fad6cb23a9422e58a642b223a5d6a2dfc616c7480dfdd02393838f399b5
NanoCore
c67a752275a99a0ba74a93e5a715a591ad9db9eb010759cdf41b1e7df980e84d
NanoCore
cf9895b3086ece4cf7fb15d831b7257578897021f8996cbabcbdd14f181941fa
NanoCore
d092a60d031f2dfa8d009742db3f7d78d34d817f9c6be57a7b21469203a48dc3
NanoCore
da1f1c571091e69d504819a85f0a8e1cd35e45f4a1d863320b51f0ff39817073
NanoCore
+ 697 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210404-3expj9fnee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
justinalwhitedd554.duckdns.org:7632
paymentmaba.sinsincity.com:7632
Unpacked files
SH256 hash:
0e36b538b99e7b2aa0e23dd9b2720f56129a8f2fb50a203bb68cf7ccb544e60d
MD5 hash:
397c7ea3337c5e01f39d2572a0c5b6e9
SHA1 hash:
3921ddd729f3f69932a12915696eebeaaea1238b
Link:
https://www.unpac.me/results/47259518-7d88-4724-bd19-4bb3e0e2402c/
SH256 hash:
f5a02c4d6c667741671463b2733bd87859430bcea2f13942a58adaad4006a043
MD5 hash:
8fe0dd315b361f5e1714ab10dfc822d5
SHA1 hash:
493f3c21ea52125e70764db163302ff371b9e42e
Link:
https://www.unpac.me/results/47259518-7d88-4724-bd19-4bb3e0e2402c/
SH256 hash:
95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
MD5 hash:
5d59200d61ba34e07e26132f5acd9619
SHA1 hash:
8fb59154fe08e09b2e9c2f817157b5bc0ccf1dae
Link:
https://www.unpac.me/results/47259518-7d88-4724-bd19-4bb3e0e2402c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132118/

Comments