MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
SHA3-384 hash: 8eb5b6c38bc01caacf1dd018f0b4be5c1ca08ebe4ca24e89e52d6c20158209c7a5678c6f512d837bbd092b587177500f
SHA1 hash: b9e040314eb74c24ad9f42ce37032ad238a37649
MD5 hash: 1017fcdd21ff4ee2a5ac3d90b680d2fe
humanhash: quiet-hamper-tennessee-football
File name:1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:642'348 bytes
First seen:2023-03-23 15:35:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:pToPWBv/cpGrU3yJDwlNm2n+d6twT2/FRXJbIMp8NDSjt/:pTbBv5rUGGm5UtwT29EMp8J+/
Threatray 2'579 similar samples on MalwareBazaar
TLSH T1ACD4F112BBC194B2C0B22E765636B7249A7877615F74CECF53C4096DDE21EC0EA353A2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4969282b6a898e0 (1 x ColibriLoader, 1 x RedLineStealer, 1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
103.176.111.90:8550

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
Verdict:
Malicious activity
Analysis date:
2023-03-23 15:36:50 UTC
Tags:
nanocore rat
Link:
https://app.any.run/tasks/03cc8ef5-b970-443d-9b29-a83d892ae7d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376898/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74447/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/641c71e28f3f4544f6cb9bbf/reports/95d44b0a-8bae-4165-8a96-2f8f9a45087b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5308faea-a935-459a-9426-e9853135e91f
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200524
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 833425 Sample: f5dp49vu7K.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 47 justkowir.duckdns.org 2->47 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 10 other signatures 2->67 8 f5dp49vu7K.exe 10 2->8         started        11 amrhioao.exe 1 2->11         started        14 amrhioao.exe 1 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\fpipnlvahva.exe, PE32 8->39 dropped 16 fpipnlvahva.exe 1 3 8->16         started        41 C:\Users\user\AppData\Local\Temp\5285.tmp, PE32 11->41 dropped 69 Antivirus detection for dropped file 11->69 71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 75 Found hidden mapped module (file has been removed from disk) 11->75 20 WerFault.exe 10 11->20         started        22 amrhioao.exe 3 11->22         started        43 C:\Users\user\AppData\Local\Temp\7734.tmp, PE32 14->43 dropped 77 Maps a DLL or memory area into another process 14->77 24 amrhioao.exe 2 14->24         started        26 WerFault.exe 14->26         started        signatures6 process7 file8 35 C:\Users\user\AppData\...\amrhioao.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\Temp\B26D.tmp, PE32 16->37 dropped 53 Antivirus detection for dropped file 16->53 55 Multi AV Scanner detection for dropped file 16->55 57 Machine Learning detection for dropped file 16->57 59 2 other signatures 16->59 28 fpipnlvahva.exe 9 16->28         started        33 WerFault.exe 24 9 16->33         started        signatures9 process10 dnsIp11 49 justkowir.duckdns.org 103.176.111.90, 49702, 49708, 49713 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 28->49 51 192.168.2.1 unknown unknown 28->51 45 C:\Users\user\AppData\Roaming\...\run.dat, data 28->45 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->79 file12 signatures13
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 19:27:24 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcmbe7jmtd62c5i5gf6n6oq5qx3z32h6oyxnwjav5qcopqofhjxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
525b7d66ed7032178d6fed1686560143655af76f12c8b344f03f09632a4287d7
NanoCore
76e24ca3952bbed5f20751c0cb99fc498999cb23d61972e826bad32dda60f7b5
NanoCore
82a4c9b1cde4bf1ed9a906c492224b5692dfd38f9e6d38f0f5ba5c3dea7c8a0a
NanoCore
86f42645b20ddd4fd363bab53bd0a6c3ea69dac332b403e975837b71e3f57126
NanoCore
b0f85cc7a5a9a1c074f6e738cb8f211645f4550e5864eacd74bf95c34420be8f
NanoCore
b57e8af197e449bd6a0848184786765c4a5bf27c7d4036c89ce0de4a7b00a5c3
NanoCore
d371bfa803b2042d3f77d5043ec7515d4791d161ed5e6eea51b7f640a75926f1
NanoCore
+ 2'569 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230323-s1wkbagf27/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
justkowir.duckdns.org:8550
Unpacked files
SH256 hash:
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
MD5 hash:
fc6b48e4a26a58d4ac831717ba66c7cc
SHA1 hash:
d85d002146457a6c2d5c4d574c6f85c7783995b1
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/0f8337f8-2aab-4901-a8e6-3f099c8304a4/
Parent samples :
a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
SH256 hash:
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0
MD5 hash:
87db5b2fefc7222378a104d7f19a2fe6
SHA1 hash:
3b8cee98e2c9995b1f272a440a579292ad1494fb
Link:
https://www.unpac.me/results/0f8337f8-2aab-4901-a8e6-3f099c8304a4/
SH256 hash:
09ab69d2a562fce255127aff4f20c2c0bdb24ae6642bfd5b72f9d7d96c105c55
MD5 hash:
a433c2e8ca0516120d095634700b4066
SHA1 hash:
1fa4727b8e5134fda8b5ebb2153f1e44e14cb99d
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/0f8337f8-2aab-4901-a8e6-3f099c8304a4/
SH256 hash:
a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
MD5 hash:
1017fcdd21ff4ee2a5ac3d90b680d2fe
SHA1 hash:
b9e040314eb74c24ad9f42ce37032ad238a37649
Link:
https://www.unpac.me/results/0f8337f8-2aab-4901-a8e6-3f099c8304a4/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a898127d2c98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Nanocore_d8c4e3c5
Create hunting rule
Author:Elastic Security
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376898/

Comments