MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1
SHA3-384 hash: 85fb50bc79cd4c907aa80fcc197d14a1780b2d59943322a0b4bee8630542558d06602b4d3f7d8cdbb281adeff5fd4f48
SHA1 hash: d143b4e95e5db5db16a73f07d54fbfe9a1dbbab1
MD5 hash: 23726740ddabfa067599e5d50d943d55
humanhash: cat-alaska-winter-jig
File name:SecuriteInfo.com.BehavesLike.Win32.Generic.jc.9685
Download: download sample
Signature NanoCore
Create hunting rule
File size:687'104 bytes
First seen:2020-12-16 19:42:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kEiKvb5Qsd4vKsrMJBNMdiohB+rUlrvzL/jlkO5JyCWslmy/jT+D9:/LJL9oowPr55M
Threatray 1'576 similar samples on MalwareBazaar
TLSH 32E47D243AEF5118F1B3AF769BD47596DAAFFA733706D42E1490038B0723A84CD9153A
Reporter SecuriteInfoCom
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order 34566.xlsx
Verdict:
Malicious activity
Analysis date:
2020-12-16 16:24:22 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader rat nanocore
Link:
https://app.any.run/tasks/2288848c-2cd1-4246-809f-fa6ecd86fee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.9685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564699
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331442 Sample: SecuriteInfo.com.BehavesLik... Startdate: 16/12/2020 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 11 other signatures 2->52 7 SecuriteInfo.com.BehavesLike.Win32.Generic.jc.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 28 C:\Users\user\AppData\...\ChluXjkvFH.exe, PE32 7->28 dropped 30 C:\Users\...\ChluXjkvFH.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp2349.tmp, XML 7->32 dropped 34 SecuriteInfo.com.B....Generic.jc.exe.log, ASCII 7->34 dropped 54 Injects a PE file into a foreign processes 7->54 13 SecuriteInfo.com.BehavesLike.Win32.Generic.jc.exe 1 9 7->13         started        18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        signatures5 process6 dnsIp7 42 127.0.0.1 unknown unknown 13->42 44 corsi111.myq-see.com 79.134.225.26, 32126, 49728, 49729 FINK-TELECOM-SERVICESCH Switzerland 13->44 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->40 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 17:10:38 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuwvdi74zgjo5a47styh26waxtpmzrobuppcjobdk6qb52n7g7aq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
07ebf1a396b6745787090025c29f48d0ee31d06b33d6780c64dfa2a061fc03c6
NanoCore
1e0640a5975ce7260ddb68118389c76efc0fbbd791bcf62a3280f116a4ef4f66
NanoCore
6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
NanoCore
8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
NanoCore
9822b3db3d4039f26ee8f6f690dcca63094904607a3ec076a4e73fd0aa919103
NanoCore
98f37fbfa4b85900e8d25bde1a1497a26a9c1c620b812f61ccb14ebbaec26a00
NanoCore
a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21
NanoCore
bbd2c149ff9143d0899d89674c320ae974cc430a3b7b9807eb1bc164768faea9
NanoCore
cc566277bb275dde9c670ecd2d89c9d3a0e3b22cb8aa28b4d564d4b8232bbc7e
NanoCore
e07c9d7c06c5ebc0b53aba5bb6c35edd07169401a08e016ca68fa5677db00370
NanoCore
+ 1'566 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201216-3hem4nyp3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
corsi111.myq-see.com:32126
127.0.0.1:32126
Unpacked files
SH256 hash:
b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1
MD5 hash:
23726740ddabfa067599e5d50d943d55
SHA1 hash:
d143b4e95e5db5db16a73f07d54fbfe9a1dbbab1
Link:
https://www.unpac.me/results/68a726a2-f467-4f05-bcd1-bd8a0cc806ec/
SH256 hash:
f3bea818420aefececec9c73b0d6dd8cef048736b58b7f12ab0b39717bbf0727
MD5 hash:
d53d829f8a0590d36b434f4efd4791de
SHA1 hash:
1f6d371f3f8868337a5ed4b32579856bd52a0e62
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/68a726a2-f467-4f05-bcd1-bd8a0cc806ec/
SH256 hash:
64c18383838bb3903318208c814960d4dc603bad080b77f6751da9fa135ce8c1
MD5 hash:
1bacd6169286f9ef482f6d456267a752
SHA1 hash:
cd7a46bc53af2dfd3594eba68177c6c4893fe261
Link:
https://www.unpac.me/results/68a726a2-f467-4f05-bcd1-bd8a0cc806ec/
SH256 hash:
ff6a35b3e48b9ea7d19325a13a7a961a4523dc392372f3f8acfe7e54dcf99648
MD5 hash:
38d194ada9a0c002cc4d6016550983d6
SHA1 hash:
e9993fa659259746a886ab3a7330596573a08c9c
Link:
https://www.unpac.me/results/68a726a2-f467-4f05-bcd1-bd8a0cc806ec/
SH256 hash:
21afc398aa7e05ed3eb9a23a011d0b7572a1178b33dba6b865638fdae2ffd461
MD5 hash:
579f71a60d426d5cfe9b40b74b1d5a52
SHA1 hash:
f130426ab206b90d5b04d47727a27dc5f0749ec1
Link:
https://www.unpac.me/results/68a726a2-f467-4f05-bcd1-bd8a0cc806ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe b52d51a3fcc992ee839f94f07d7ac0bcdeccc5c1a3de24b82357a01ee9bf37c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/923276/
  
Delivery method
Distributed via web download

Comments