MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b15a2d93ad39a55b90248ef52e7543bfc3268af18225342a67f45061183c13aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b15a2d93ad39a55b90248ef52e7543bfc3268af18225342a67f45061183c13aa
SHA3-384 hash: 50f06b511dd56f43426ccb3f214f516dcdca6520379e733d330297e48948729d59e8bed7d578cbf0499f6b76c4f2e9ca
SHA1 hash: 6a1d26b5d131ff5b9818c6e3a4186b1979628741
MD5 hash: db1d2b6cab89d536e923eb04fe13be02
humanhash: enemy-item-coffee-enemy
File name:DHL_10177_R293_DOCUMENT.bat
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'982'400 bytes
First seen:2020-11-17 19:43:45 UTC
Last seen:2020-11-27 10:27:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:ihVfCLE/q/P8QTCVnB2iLPaYCtxs4+3p:ihpCLE+P8QTCVn3LPaDxs4+3
Threatray 1'328 similar samples on MalwareBazaar
TLSH F0D5395C3C43305F798A01B006EB5AE892DA7118157027399CEB65BCDA1DD6B7CEF8B2
Reporter GovCERT_CH
Tags:NanoCore

Intelligence

File Origin
# of uploads :
32
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Adding an access-denied ACE
Creating a window
Creating a file in the %AppData% subdirectories
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539888
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319042 Sample: DHL_10177_R293_DOCUMENT.bat Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 9 other signatures 2->48 6 DHL_10177_R293_DOCUMENT.exe 3 4 2->6         started        10 DHL_10177_R293_DOCUMENT.exe 2 2->10         started        12 DHL_10177_R293_DOCUMENT.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 34 C:\Users\user\...\DHL_10177_R293_DOCUMENT.exe, PE32 6->34 dropped 36 DHL_10177_R293_DOC...exe:Zone.Identifier, ASCII 6->36 dropped 50 Creates an undocumented autostart registry key 6->50 52 Creates autostart registry keys with suspicious names 6->52 54 Creates multiple autostart registry keys 6->54 56 Drops PE files to the startup folder 6->56 16 CasPol.exe 8 6->16         started        20 WerFault.exe 23 9 6->20         started        22 CasPol.exe 6->22         started        58 Writes to foreign memory regions 10->58 60 Hides threads from debuggers 10->60 62 Injects a PE file into a foreign processes 10->62 24 CasPol.exe 5 10->24         started        26 WerFault.exe 10->26         started        28 CasPol.exe 12->28         started        30 WerFault.exe 12->30         started        signatures5 process6 dnsIp7 38 185.157.162.81, 5504 OBE-EUROPEObenetworkEuropeSE Sweden 16->38 40 NANOPC.LINKPC.NET 105.112.101.201, 5504 VNL1-ASNG Nigeria 16->40 32 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 16->32 dropped file8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b15a2d93ad39a55b90248ef52e7543bfc3268af18225342a67f45061183c13aa/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 19:00:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfnc3e5nhgsvxeber32s45kdx7bsncxrqistikth6rigcgb4cova._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2806c2d9436aebf20ce36487ed517b67fe2899db2b0f8947096b23f343b5ac23
NanoCore
38814f6587d098be00d461dae2dfeb01b50e2a697d86bfc02e334024133bfed8
NanoCore
43ad93082a89152d41f40cd7a551c3fba9618e88c98739b7cc09c6ede30b6d02
NanoCore
6a4ecef563225ed9892ff403374d704be5e3b4242ae9f08d624325e83fd22276
NanoCore
7edb6382eaeded52c1341cec1508c797a7d7146d19e508c9713a4266ac823c8a
NanoCore
814eaf5f7ac92cfed0226402ff7075efe5c0d81e7b555d01376db3e62e34595c
NanoCore
a26b2e637723aaf286bb3c75afa070576c0f5d334161f0f62a27ce41eaf27d37
NanoCore
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
NanoCore
bd969441be871b85681f3e4e9b933c311ab6d9a9360822f6411c1d2edbae4f26
NanoCore
cf3dcb49ec0f07b8ddf68f9dedf71ca24cf7364c819082164df3a9ec0433e741
NanoCore
+ 1'318 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201117-3p72te1rdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
185.157.162.81:5504
NANOPC.LINKPC.NET:5504
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

178de1db3852e3962048c71bb2a2582c31c0dcfbf9696f5862ede628632d9a92

NanoCore

Executable exe b15a2d93ad39a55b90248ef52e7543bfc3268af18225342a67f45061183c13aa

(this sample)

  
Dropped by
MD5 af3a1619f13ffd6566dcef3b6bd4da79
  
Dropped by
SHA256 178de1db3852e3962048c71bb2a2582c31c0dcfbf9696f5862ede628632d9a92
  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment

Comments