MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
SHA3-384 hash: f6de20a983598a34d9bdcf67df5cf100f4a07ebfa661791866cb59f6f188c6633778e2867c9400aa0c271997fafa6bc0
SHA1 hash: 02482738aebf223e424f34dfe9eefc55671caf65
MD5 hash: 91027dd7468e8836631a8793d73164fd
humanhash: pizza-uniform-fifteen-india
File name:b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
Download: download sample
Signature NanoCore
Create hunting rule
File size:4'058'112 bytes
First seen:2020-07-29 07:11:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:nviz/27qWGq/TzuqCDl2Ptao7jsyqRgkhPsj9Nr:nviq75/TzufI8PeNr
Threatray 1'639 similar samples on MalwareBazaar
TLSH A916334275CC0867DA3203B21CFD63971FE4BCE26379D70A71C971CA0A954A179B2FA6
Reporter JAMESWT_WT
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34309/
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Delayed reading of the file
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401471
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252973 Sample: zeIwplqfMp Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Sigma detected: NanoCore 2->92 94 7 other signatures 2->94 11 zeIwplqfMp.exe 1 13 2->11         started        14 WindowsDefenderUpdater.exe 2->14         started        17 WindowsDefenderUpdater.exe 2->17         started        19 3 other processes 2->19 process3 file4 72 C:\Users\user\AppData\Local\...\lua51.dll, PE32 11->72 dropped 74 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 11->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 11->76 dropped 21 CDS.exe 1 3 11->21         started        78 C:\Users\user\AppData\...\tmpB3B1.tmp.exe, PE32 14->78 dropped 114 Injects a PE file into a foreign processes 14->114 25 tmpB3B1.tmp.exe 14->25         started        28 WindowsDefenderUpdater.exe 14->28         started        30 WindowsDefenderUpdater.exe 14->30         started        80 C:\Users\user\AppData\...\tmpD8CD.tmp.exe, PE32 17->80 dropped 32 tmpD8CD.tmp.exe 17->32         started        34 WindowsDefenderUpdater.exe 17->34         started        36 WindowsDefenderUpdater.exe 17->36         started        116 Machine Learning detection for dropped file 19->116 signatures5 process6 dnsIp7 82 192.168.2.1 unknown unknown 21->82 64 C:\Users\user\AppData\Local\...\crypted.exe, PE32 21->64 dropped 38 crypted.exe 1 3 21->38         started        104 Machine Learning detection for dropped file 25->104 file8 signatures9 process10 file11 66 C:\ProgramData\WindowsDefenderUpdater.exe, PE32 38->66 dropped 98 Machine Learning detection for dropped file 38->98 100 Creates multiple autostart registry keys 38->100 102 Injects a PE file into a foreign processes 38->102 42 WindowsDefenderUpdater.exe 4 38->42         started        46 crypted.exe 6 38->46         started        49 crypted.exe 38->49         started        signatures12 process13 dnsIp14 68 C:\Users\user\AppData\...\tmp95C9.tmp.exe, PE32 42->68 dropped 108 Machine Learning detection for dropped file 42->108 110 Injects a PE file into a foreign processes 42->110 51 tmp95C9.tmp.exe 42->51         started        55 WindowsDefenderUpdater.exe 2 42->55         started        84 KUTAS54645-53485.portmap.host 193.161.193.99, 37458, 49731, 49736 BITREE-ASRU Russian Federation 46->84 86 127.0.0.1 unknown unknown 46->86 70 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 46->70 dropped 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->112 file15 signatures16 process17 file18 62 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 51->62 dropped 96 Machine Learning detection for dropped file 51->96 57 powershell.exe 51->57         started        signatures19 process20 signatures21 106 Creates multiple autostart registry keys 57->106 60 conhost.exe 57->60         started        process22
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 20:53:37 UTC
File Type:
PE (Exe)
Extracted files:
765
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbzjljfs7mws6tpz2ubnklrpkcs6tm52t5llc7rff6qpgark432a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5
NanoCore
250cfc3bf5271e6a5cdd6ebe240865bf2f960c877590b679c878181b42f85341
NanoCore
3f4906997a52eb2fd4ee5341cc7acadbb66397a2edd75d2781770ede1e14dbef
NanoCore
548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312
NanoCore
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
NanoCore
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
NanoCore
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
NanoCore
cfb6b2b831592f1ebd43929977ae4963f8c2b3b2472214c82c3c3c1513a6b54f
NanoCore
ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984
NanoCore
fc0ffda44e2748b424639a1592356cc209abf6045a8d6a069f5f562ea1f31763
NanoCore
+ 1'629 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200729-6pb74tfjsa/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
JavaScript code in executable
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
KUTAS54645-53485.portmap.host:37458
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34309/

Comments