MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e
SHA3-384 hash: 28410d0b6bdb9742130e8c1d4ceeabad8c65d2c8ae03f8c82d87aa5db14f1ebd0868dc930840aac6177c1e3f50d22c7e
SHA1 hash: bb9a17ffa896dce06b0969666efae60d73790f1e
MD5 hash: 4910501297a7863743b3545013dc8a4c
humanhash: cardinal-snake-snake-mango
File name:Upgrade Form.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:610'816 bytes
First seen:2020-10-12 14:50:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7OM6laQGDvy5BDtB8EzPI3DJFr9QNt0fTRW0a8dLfZ85I9tJekkwO:Syy5BnBaDJFr9+2TM8d7ZAIng
Threatray 1'128 similar samples on MalwareBazaar
TLSH 3AD4123E1159BF5BD17C51B88460911C8AF8DA096EE3D20A7EF348F7B2D17CA0B01D9A
Reporter Anonymous
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70139/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen9.56514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488606
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296763 Sample: Upgrade Form.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 13 other signatures 2->56 7 Upgrade Form.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\...\sGqFOnssEUAb.exe, PE32 7->32 dropped 34 C:\Users\...\sGqFOnssEUAb.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp4F24.tmp, XML 7->36 dropped 38 C:\Users\user\...\Upgrade Form.exe.log, ASCII 7->38 dropped 58 Injects a PE file into a foreign processes 7->58 13 Upgrade Form.exe 1 9 7->13         started        18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        24 dhcpmon.exe 11->24         started        26 2 other processes 11->26 signatures5 process6 dnsIp7 46 79.134.225.82, 49737, 49741, 49747 FINK-TELECOM-SERVICESCH Switzerland 13->46 48 192.168.5.247, 54251 unknown unknown 13->48 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, data 13->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->60 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 06:43:53 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4judfcqv5rmznmf6jrwefuat2b3c24aiykz3xc2q3faqargyz7a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
4bdce1c0f19e06fe3011983fd12202ca87b82016cf29422554ec1687e0ff377f
NanoCore
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
NanoCore
73c1dadfe683d9f3dfcd2655018b4a17d0a679caf40195a223f387025086bc86
NanoCore
7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
NanoCore
83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374
NanoCore
9d44ded1da60c6d985cd16f0b98954f746f83f3d7d093f15f30a88eb14441e0a
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07
NanoCore
fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
NanoCore
+ 1'118 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/201012-blkps4cfje/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
79.134.225.82:54251
192.168.5.247:54251
Unpacked files
SH256 hash:
b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e
MD5 hash:
4910501297a7863743b3545013dc8a4c
SHA1 hash:
bb9a17ffa896dce06b0969666efae60d73790f1e
Link:
https://www.unpac.me/results/d2cb4e5b-cccf-4d62-89ec-269d8c272517/
SH256 hash:
7579a4d247b379b1779e5ec7b17fb105eff884c2e28fd407b9dd6101384bc521
MD5 hash:
72b5b935b70ff1ca191dde210d94626a
SHA1 hash:
0607beaaaa8951d26f491847b2f016083888f4f4
Link:
https://www.unpac.me/results/d2cb4e5b-cccf-4d62-89ec-269d8c272517/
SH256 hash:
ad9ad2a85749228a133a009fb9584097c97865a9983f24a4a6e47d23f57403fc
MD5 hash:
b7ad7c322c03a5f222e605fdfc9b04b2
SHA1 hash:
1e41f1cea652a751fb6236ceb456f948cf0a0765
Link:
https://www.unpac.me/results/d2cb4e5b-cccf-4d62-89ec-269d8c272517/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/d2cb4e5b-cccf-4d62-89ec-269d8c272517/
SH256 hash:
2ce31869d3f088e65a0de0a5c4c6afa589452d3058a9ca37452d69c442ce5ac3
MD5 hash:
2633bfc89dfb8c3c1e08b657373494e6
SHA1 hash:
2c5b2590500a2ff20957689cef19a04009fbcadd
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/d2cb4e5b-cccf-4d62-89ec-269d8c272517/
Parent samples :
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e
e301fd976c111fd0f209f4cb6e8bd267bd5eb242707ad286b217a5d98032aad6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b713419450af62ccb585f2636216809e83b16b8046159ddc5a86ca080226c67e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70139/

Comments