MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2
SHA3-384 hash:	b83342b32d7a509076b27407804b205c194090f380484bbc3e61ee5cb24ae688f0053a03a2bf4f7aa10a847ce6afe6d1
SHA1 hash:	2f627c510f7fc0808d8e06b9b309f934acb439c0
MD5 hash:	1570be9489f6638e20884ea8b262f0a8
humanhash:	vermont-carpet-wisconsin-triple
File name:	Conform descrierii traducereProfil liniar355377.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	307'832 bytes
First seen:	2021-10-22 10:50:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/cBTySWgMMtHXaqILNcK/GZbGFwCHoLV13fRWP:CeASWgMMI/OGmEQDRWP
TLSH	T1BE64228B72C908F3CA06427194BAF336E3278525213652DF0B694E6E4AB13C7EE557C7
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

conform7z.zip

Verdict:

Malicious activity

Analysis date:

2021-10-22 16:50:04 UTC

Tags:

rat nanocore

Link:

https://app.any.run/tasks/aa601b58-247b-49e2-aace-2926017ad29d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/199367/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Deleting a recently created file

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61729799db358dd15ed3a825/reports/e74241ac-13ba-4836-bcc1-f167a8d13f10/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/eb1d74f9-a444-4b85-b8e4-c301fd9cb30e

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/875188

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2021-10-22 10:51:05 UTC

AV detection:

13 of 45 (28.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vpfainfpmhgl64d7l2qbh4gf6wbba3exafks525f4zgwpbab37ja._file

Verdict:

malicious

Label(s):

nanocorerat

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer suricata trojan

Link:

https://tria.ge/reports/211022-mxtnnacdbq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Loads dropped DLL

NanoCore

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

178.170.138.163:5626

Unpacked files

SH256 hash:

6d14b1574ae3e00d62e88cc6dcdaf8475b1d526b60f5b4dda9a9d6e35ab29a55

MD5 hash:

83d942647f772159eeda5a3b82cff1c1

SHA1 hash:

823535ff3ebaa8a8c6016bd204187f393e871aa6

Link:

https://www.unpac.me/results/71d7687b-6f2b-45b5-b580-64c26af2f628/

SH256 hash:

abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2

MD5 hash:

1570be9489f6638e20884ea8b262f0a8

SHA1 hash:

2f627c510f7fc0808d8e06b9b309f934acb439c0

Link:

https://www.unpac.me/results/71d7687b-6f2b-45b5-b580-64c26af2f628/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe abca0434af61ccbf707f5ea013f0c5f582106c9701552eeba5e64d678401dfd2

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/199367/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample