MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68
SHA3-384 hash: 6118d80f95bd9f5cf49fd16f9265ed323c905b52dded89475d2490693b8017ca7df3e1addced9627d458e3f9f3f872fe
SHA1 hash: 4d631ab5718c9c1b32346b7102908792ac575497
MD5 hash: 288a81ddcc8c24a1d1230e2964f7db6e
humanhash: jersey-mango-bravo-diet
File name:ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68
Download: download sample
Signature NanoCore
Create hunting rule
File size:714'752 bytes
First seen:2020-11-10 11:27:19 UTC
Last seen:2024-07-24 20:11:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Lx7Ht8LF0ab9JkMcAuZrXJh5ASlWw5OsvVbWZrMhsrC888taA101j:dJ8jmPAuZDP5AS0wks9bWZ4hsePNAe1
Threatray 1'258 similar samples on MalwareBazaar
TLSH D0E412365283AE82EB3A1E75E49332941FB4B9279714EE4DBDCC00B514E3B18DE11B79
Reporter seifreed
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529332
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 313763 Sample: L7JbjVz1V8 Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 40 smith2021.ddns.net 2->40 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 11 other signatures 2->52 9 L7JbjVz1V8.exe 6 2->9         started        13 MSBuild.exe 2 2->13         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\VfZasWUbkbv.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmpD0E1.tmp, XML 9->36 dropped 38 C:\Users\user\AppData\...\L7JbjVz1V8.exe.log, ASCII 9->38 dropped 54 Writes to foreign memory regions 9->54 56 Injects a PE file into a foreign processes 9->56 15 MSBuild.exe 8 9->15         started        20 schtasks.exe 1 9->20         started        22 MSBuild.exe 9->22         started        24 conhost.exe 13->24         started        signatures6 process7 dnsIp8 42 smith2021.ddns.net 194.5.96.133, 1012, 49726, 49727 IPC-ASUA Netherlands 15->42 32 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->32 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->44 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        file9 signatures10 process11 process12 30 conhost.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:32:55 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqx4fwcjwr2hswnrrqtnehioagnpoeuhpt34xiuumpfbmkkedvua._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f
NanoCore
0cd5e1ff0a9dba62b452f1a2f17e22c2b99dab267d9d09568a3e6b1cc8aa4a33
NanoCore
43d6dc0d40115b3792180b6f64efc80c4ed25e413352b647bc899d4becc5553a
NanoCore
45937fa735fb074b8d1a40e131648d9554e7104dbb294e727bc8be4a16167410
NanoCore
4601de4e881f61e0a654439819c1026e588317f99c88d5fe247e6d2876d1a16b
NanoCore
55a85320a226d58c12355a5836a77fd17fd270fefa30612da9e6a79b9f17b222
NanoCore
62a7f441ba21aaa568fe700029fa32d6dd7eeb2ed0a7f7259a680f2aae65ee31
NanoCore
b2e9a56a20c71306ae8965955dfa780b868c5766f3ebb2f8e4c816a305711cdd
NanoCore
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
NanoCore
e607a54592bc86fd86e26145cba601bf2dc2e94ad19bcb0a14f09398468c8265
NanoCore
+ 1'248 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201110-jy2433cpdj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
smith2021.ddns.net:1012
Unpacked files
SH256 hash:
82f7a358210a288f0f49617501a535e044325f0f971556cabfcf8d9e619aa41a
MD5 hash:
73fa635dacaed0b0f8dee3d6c055ba13
SHA1 hash:
3f5f36fa1610b11624945206c50c078bbb542aa3
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/bc0cd09a-197f-462b-aa36-867508f491dd/
Parent samples :
ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68
d5bb983da618a305cbc11c595a5f6726860dd74d0d7b5bdb2b3e500dfc1424ed
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/bc0cd09a-197f-462b-aa36-867508f491dd/
SH256 hash:
66a2c005d7cc212bcdcf5d6cb1b2bd6af43e6fd1845b13e09229d8ec483da30b
MD5 hash:
dcf8073dc1061c640fc13c9e38398bb1
SHA1 hash:
d38e6a9bd8ec8aa1f97673595c6c28a1dff1a960
Link:
https://www.unpac.me/results/bc0cd09a-197f-462b-aa36-867508f491dd/
SH256 hash:
ac2fc2d849b4747959b18c26d21d0e019af712877cf7cba29463ca1629441d68
MD5 hash:
288a81ddcc8c24a1d1230e2964f7db6e
SHA1 hash:
4d631ab5718c9c1b32346b7102908792ac575497
Link:
https://www.unpac.me/results/bc0cd09a-197f-462b-aa36-867508f491dd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments