MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823
SHA3-384 hash: 9109cadc2efdbed7b5aca6ed5baffe2d65cc26a90c95898504f778bdc2afc04e8d2633e51c56a422d5a797525977209b
SHA1 hash: 0e17e9e685e421b29f3cdd28876a3e9b8ae41d8f
MD5 hash: 1efbcd27b8ad5e4b0f1220af11c9b24a
humanhash: nuts-delaware-bravo-lamp
File name:AFE7D487324952929F8F037BDFBD7249049086FC8C4A9.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'211'392 bytes
First seen:2021-06-30 21:45:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e5b9923ab1e9eb27fe6580af9265696 (3 x NanoCore)
ssdeep 24576:xDdOxLFDApSPKk48zvvpUIQ0Gl9wzB2b21A9ZLh6+8:xDiLFssPH48pfqSN2bEMLE
Threatray 1'043 similar samples on MalwareBazaar
TLSH 0F4501EAA7CA8823E867663455B70B537F22FC929B74410B2721F89C1D72391FD34726
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
192.169.69.25:3606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:3606 https://threatfox.abuse.ch/ioc/156557/

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ipscane.exe
Verdict:
Malicious activity
Analysis date:
2018-07-25 18:44:37 UTC
Tags:
autoit rat nanocore
Link:
https://app.any.run/tasks/d976426b-3e9f-409a-a7ef-9a13ae7c902c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169016/
Detection(s):
Win.Malware.Ototi-6591407-0
Create hunting rule

Win.Packed.Generic-7139870-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66edcc18-2d86-463a-b1ef-f38a827f0bf7
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810251
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442660 Sample: AFE7D487324952929F8F037BDFB... Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 37 bproduction.zapto.org 2->37 39 bproduction.duckdns.org 2->39 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 10 other signatures 2->59 9 AFE7D487324952929F8F037BDFBD7249049086FC8C4A9.exe 1 5 2->9         started        12 jcsfmyaw.exe 1 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\jcsfmyaw.exe, PE32 9->35 dropped 16 jcsfmyaw.exe 3 9->16         started        process6 file7 31 C:\Users\user\jcsfmyaw.exe, PE32 16->31 dropped 47 Multi AV Scanner detection for dropped file 16->47 49 Drops PE files to the user root directory 16->49 51 Allocates memory in foreign processes 16->51 20 jcsfmyaw.exe 6 16->20         started        25 cmd.exe 1 16->25         started        signatures8 process9 dnsIp10 41 bproduction.duckdns.org 192.169.69.25, 3606, 49715, 49716 WOWUS United States 20->41 43 bproduction.zapto.org 20->43 45 192.168.2.1 unknown unknown 20->45 33 C:\Users\user\AppData\Roaming\...\run.dat, data 20->33 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 25->63 27 conhost.exe 25->27         started        29 schtasks.exe 1 25->29         started        file11 signatures12 process13
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2018-07-26 10:49:54 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7t5jbzsjfjjfh4pan557plsjecjbbx4rrfjbivm3kx723jufarq._file
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
NanoCore
1029ba046df67ee328ad9d21bfd1e6d31c5cedc4d4ead02b29502e220808c751
NanoCore
215efb4d72a987d380f71ce2cea15cb73c3084253026a2c80efd7a3c83ae5f9f
NanoCore
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
NanoCore
77d83370f3109b9a0c199c60870edd92184c170abfc2f1817cd625245fcfae10
NanoCore
b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
NanoCore
b89620cbc9ac44fd7d39e58b04083b674342f3aa55ed9752160fbf6d2e34b785
NanoCore
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
NanoCore
e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8
NanoCore
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
NanoCore
+ 1'033 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210630-3al299kmsn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
bproduction.zapto.org:3606
bproduction.duckdns.org:3606
Unpacked files
SH256 hash:
224a850900800a9d02ed71f19626644cada7d9c637c4ba6d361a102024068925
MD5 hash:
bc6878f2dd2594485d95ceead3f74ce4
SHA1 hash:
395f311456e6cc0a3853c76fe24adbe3b95484ca
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/fdd180aa-c055-4cdf-a07d-e92cc6d8f188/
SH256 hash:
3d821438f84f600a8fe82652a1cf2e35fb16fbc476ab16d0fb20f198875a86a9
MD5 hash:
a94461ab3bc7c7b90c81e1bf0c9826f5
SHA1 hash:
ca04cc872facef40fccb1b2c2a0d00cf4761f179
Link:
https://www.unpac.me/results/fdd180aa-c055-4cdf-a07d-e92cc6d8f188/
SH256 hash:
afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823
MD5 hash:
1efbcd27b8ad5e4b0f1220af11c9b24a
SHA1 hash:
0e17e9e685e421b29f3cdd28876a3e9b8ae41d8f
Link:
https://www.unpac.me/results/fdd180aa-c055-4cdf-a07d-e92cc6d8f188/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169016/

Comments