MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479
SHA3-384 hash: a1c35ca8a499d7062bc60511e517f4ab28da45a4b580defe761b85ae8957210874517adce5915272b36734ac0fb468ac
SHA1 hash: 8384428721c3d02143fd687cdb79e1b503bdca4a
MD5 hash: dc36016ffd3c54b7cc755ab0945fec94
humanhash: double-montana-zulu-hotel
File name:ORDINI_20201215.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:67'504 bytes
First seen:2020-12-14 14:19:50 UTC
Last seen:2020-12-14 15:39:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 1536:tKpb9h5mffX2f+bjTSDr7gUCX1Ie9zKej0kKRZADhwa0KKayzvUfE:tKpbwH5bSgNXzjou8KZyzn
Threatray 1'387 similar samples on MalwareBazaar
TLSH B1631DAA170FBF41F94783357203D163AA81756632BF4BB0E4321B5DDC6158867AFA83
Reporter James_inthe_box
Tags:exe NanoCore

Code Signing Certificate

Organisation:Dfbaffaaffdabbd
Issuer:Dfbaffaaffdabbd
Algorithm:sha256WithRSAEncryption
Valid from:Dec 14 12:59:40 2020 GMT
Valid to:Dec 14 12:59:40 2021 GMT
Serial number: CEF9AAB2400AB5C651437B3D7C8820BD
Thumbprint Algorithm:SHA256
Thumbprint: F80655CF103D31E4D9EF691F762F6852428B7015F911A9AFE398165BAD3DD29E
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDINI_20201215.exe
Verdict:
Malicious activity
Analysis date:
2020-12-14 14:23:46 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/d5f63ce3-a4b3-4bef-b627-cf360cacc5a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107966/
Detection(s):
SecuriteInfo.com.FileRepMalware.16885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/562203
Signature
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 330192 Sample: ORDINI_20201215.exe Startdate: 14/12/2020 Architecture: WINDOWS Score: 100 68 hastebin.com 2->68 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 7 other signatures 2->88 8 ORDINI_20201215.exe 18 6 2->8         started        13 dhcpmon.exe 2->13         started        15 ORDINI_20201215.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 76 hastebin.com 172.67.143.180, 443, 49719, 49724 CLOUDFLARENETUS United States 8->76 64 C:\Users\user\AppData\...\ORDINI_20201215.exe, PE32 8->64 dropped 94 Creates an undocumented autostart registry key 8->94 96 Creates multiple autostart registry keys 8->96 98 Drops PE files to the startup folder 8->98 19 ORDINI_20201215.exe 1 9 8->19         started        24 cmd.exe 1 8->24         started        66 C:\Users\user\AppData\Roaming\...\dhcpmon.exe, PE32 13->66 dropped 100 Injects a PE file into a foreign processes 13->100 26 cmd.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 dhcpmon.exe 13->30         started        102 Creates autostart registry keys with suspicious names 15->102 78 104.24.126.89, 443, 49728, 49731 CLOUDFLARENETUS United States 17->78 80 192.168.2.1 unknown unknown 17->80 32 cmd.exe 1 17->32         started        34 cmd.exe 17->34         started        36 cmd.exe 17->36         started        38 2 other processes 17->38 file6 signatures7 process8 dnsIp9 70 new8855.duckdns.org 19->70 72 new8855.duckdns.org 79.134.225.76, 49727, 49729, 49742 FINK-TELECOM-SERVICESCH Switzerland 19->72 74 127.0.0.1 unknown unknown 19->74 58 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->58 dropped 60 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->60 dropped 62 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->62 dropped 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->90 40 conhost.exe 24->40         started        42 timeout.exe 1 24->42         started        44 conhost.exe 26->44         started        46 timeout.exe 26->46         started        48 conhost.exe 32->48         started        50 timeout.exe 1 32->50         started        52 conhost.exe 34->52         started        54 timeout.exe 34->54         started        56 2 other processes 36->56 file10 92 Connects to a pastebin service (likely for C&C) 70->92 signatures11 process12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-14 14:19:44 UTC
File Type:
PE (.Net Exe)
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpdfbouydhuow6wxczrw67iqjcb6druslhf6jp5wex7c3abs2r4q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
75ce60322805e5ca67cb3f9fe1b8d051596cde1ac3df7d3f509413345949da64
NanoCore
80f4aeadc5c8163a645695755c433095308948d6a8657d9b3dd37c73f11d6fbc
NanoCore
a4daf793ab3c51609ba2667a64649b17de7c68aefa387b3dd7c3ac01b5db22ae
NanoCore
b34995ccc278079c90c5b876aec791c11bb42bad62105f284c4177b5c2b38dbe
NanoCore
b73d9ca871a542e64db5bf55485a94f47ef2ac2a4ea3cdb388588d11f173b93e
NanoCore
d8021d01301e057b4f51017952545673b0892e07d5546745fc1159d740716fbf
NanoCore
dcd49164183272088d635cfedfb13caba79357c224bcba1bce288c26093200c2
NanoCore
e3e2eb5f82a7580c067c4e4c41edc947a978a9e74ecc39e875fc3093d2c3cb66
NanoCore
f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a
NanoCore
+ 1'377 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201214-vn4wgskegs/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
new8855.duckdns.org:9922
127.0.0.1:9922
Unpacked files
SH256 hash:
9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479
MD5 hash:
dc36016ffd3c54b7cc755ab0945fec94
SHA1 hash:
8384428721c3d02143fd687cdb79e1b503bdca4a
Link:
https://www.unpac.me/results/10b62e5b-7764-4420-b2ad-427c35dc4e4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/107966/

Comments