MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1
SHA3-384 hash:	448cba74bc6b67b2ecd78e260a85ad59d71644fd31b4268dbcdacd3ff1655ea3dc457d6eaf8dc213367cb195f1e17875
SHA1 hash:	09e030ea4f63ec301b02c3b3c94c00ccdeec0ffc
MD5 hash:	c4a96a6d1386e15e5eb91523f69067d2
humanhash:	lion-november-speaker-apart
File name:	970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	320'000 bytes
First seen:	2020-07-06 07:05:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:dpv6eWl437FQxCycppfGpy6JKtziSg0b4l7Zs/b7CZZtx95GZ/oXyQYCV8:XvSZCycX8DKGSgnlieZZ15K/oXyQLV8
Threatray	1'354 similar samples on MalwareBazaar
TLSH	DF640244F7C8D991CA6E067AC4A2D7600361DF276502C35F6C9E3D9F7E323C92A0A65B
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/21038/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Creating a file in the %AppData% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a file

Changing the Zone.Identifier stream

DNS request

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1/

Threat name:

ByteCode-MSIL.Trojan.SmartAssembly

Status:

Malicious

First seen:

2020-07-03 00:41:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s4hx2a7bakjo34wuddj7fsd2gkqrywb6z56iaoixa4f5x4jwwcyq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4b09a7fa4d80c792d50d5d81b9ffdd5a1511ae05958cceb464fa44f9cbbba347

NanoCore

62a7f441ba21aaa568fe700029fa32d6dd7eeb2ed0a7f7259a680f2aae65ee31

NanoCore

7370a7e091fac25ebdad745b779e1d83f9599893ae465803dc03c943b66fda1c

NanoCore

819b7cdae5437e09dddc2263080df829d2e8ba725f4364bfddf0cd10eb848692

NanoCore

8490e3d97ac25a9e1e87a0270a30076cc38b75ca705e28d5c78b93968b0231fb

NanoCore

b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1

NanoCore

b2e9a56a20c71306ae8965955dfa780b868c5766f3ebb2f8e4c816a305711cdd

NanoCore

c906c5770bebca31da7c8da7a639ec54531022d2a88bc133f89f793e7a3d737d

NanoCore

ccf661061226a4fe358b46c6fab8a29686323e41aa50fe06c06963c9939a2669

NanoCore

+ 1'344 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200706-w8vpap1qw6/

Behaviour

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

gold1.dnsupdate.info:4777
gold080.ooguy.com:4777

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample