MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08
SHA3-384 hash: 5c02df93701c47f6f7e59782f0eef3ead62743a60c7d0fbd643802c47f7987efa2da20571f02fddfefcc50a4d61f2f53
SHA1 hash: 85053675b309e97c9be5be8f86ba8c1b4e9e1ef4
MD5 hash: d04ffb5106ae135a1eadf50315e19e16
humanhash: cola-steak-autumn-three
File name:d04ffb5106ae135a1eadf50315e19e16.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:76'288 bytes
First seen:2022-02-23 07:21:46 UTC
Last seen:2022-02-23 09:02:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:jZb8EJcQU+iopiA+bHq0R4Co0s7yj7c0q1X:jZbDJQYzCo8/c0q1X
Threatray 4'219 similar samples on MalwareBazaar
TLSH T18A739FA1BE84F625C1262C32DB12DAF5C227BD2BC97099537CC87F1F7933642951272A
File icon (PE):PE icon
dhash icon 3d7de4e1e1610d15 (7 x NanoCore, 5 x AgentTesla, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
212.192.246.176:2486

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.192.246.176:2486 https://threatfox.abuse.ch/ioc/390263/

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243557/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.55891.1320.4244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6215e09e875593a3cc08c6e9/reports/eb40f406-3110-4b37-bf26-76d0d86b4f17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8353b248-e7cc-4a2b-ac45-1b0e5399e92b
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944506
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576981 Sample: 5FJBvLl9a5.exe Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 14 other signatures 2->82 8 5FJBvLl9a5.exe 15 4 2->8         started        12 MSBuild.exe 2 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 dnsIp4 74 136.144.41.109, 49753, 80 WORLDSTREAMNL Netherlands 8->74 62 C:\Users\user\AppData\...\5FJBvLl9a5.exe.log, ASCII 8->62 dropped 18 MSBuild.exe 1 13 8->18         started        23 cmd.exe 1 8->23         started        25 MSBuild.exe 8->25         started        31 9 other processes 8->31 27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        file5 process6 dnsIp7 64 meki24.ddns.net 212.192.246.176, 2486, 49809 RHC-HOSTINGGB Russian Federation 18->64 56 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->56 dropped 58 C:\Users\user\AppData\Local\...\tmpE3D8.tmp, XML 18->58 dropped 60 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->60 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->84 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        86 Uses ping.exe to check the status of other devices and networks 23->86 37 PING.EXE 1 23->37         started        40 conhost.exe 23->40         started        88 Uses schtasks.exe or at.exe to add and modify task schedules 25->88 42 PING.EXE 1 31->42         started        44 PING.EXE 1 31->44         started        46 PING.EXE 1 31->46         started        48 15 other processes 31->48 file8 signatures9 process10 dnsIp11 50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        66 yahoo.com 98.137.11.164 YAHOO-GQ1US United States 37->66 68 74.6.231.20 YAHOO-NE1US United States 42->68 54 conhost.exe 42->54         started        70 74.6.231.21 YAHOO-NE1US United States 46->70 72 74.6.143.25 YAHOO-3US United States 48->72 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 00:15:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uryxieqwfq5jw5ezpba4m3fzcn3re6jsh5xfqknw4qvqs4cjtyea._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
NanoCore
263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e
NanoCore
55aea4a4530e0aa4d13d4c68b9027e6a215bc4a4eaa87d2a8bfdc2c443dd3d7c
NanoCore
8176adc9a62eea37254cf916522ec5c140bc85fb368155c8cbe3788864d9c395
NanoCore
862965d573744607a29489905cfc8abdd8f187874d476ef4263eee7e5175630a
NanoCore
8bf0518cd0c607aa51073dfe422f6af43ab8b43523bd0c182cc6172c9ecb9072
NanoCore
8de953938b8fb2d222892012da5758cefe50de064f61416c2bc2c6e6f019352c
NanoCore
a30622ef748dbcae11f6a12cf32c096527e55364b32ae546ea1b729c121128ee
NanoCore
adac602d329a95580921b519350a4eefa10c98f593b6be76855b31d8bea64909
NanoCore
+ 4'209 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220223-h683gshcf3/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
meki24.ddns.net:2486
Unpacked files
SH256 hash:
a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08
MD5 hash:
d04ffb5106ae135a1eadf50315e19e16
SHA1 hash:
85053675b309e97c9be5be8f86ba8c1b4e9e1ef4
Link:
https://www.unpac.me/results/15c26621-6fc6-4714-b5a0-1cda0df3cf78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243557/

Comments