MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
SHA3-384 hash: a6d28c813d65b69f090ff7a9fa561b8676d807e1e4727e7c8d249dc1c815be9b688ff77dded31cdc36d1972dff228e7c
SHA1 hash: 3a86bafbf64c0b9fd62a564fd02c4c6d019039f7
MD5 hash: 2586e8864b73757a32448e512ed5a30f
humanhash: johnny-mockingbird-alaska-juliet
File name:outstanding Invoices.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'196'544 bytes
First seen:2020-10-20 08:24:27 UTC
Last seen:2020-10-25 22:33:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:K4YC1Iz0ikGdQuYKDnTLjEw3XPAAHq7F51dvqA+mH:K4O0LGdsI/53XbK7Fpq
Threatray 1'582 similar samples on MalwareBazaar
TLSH 6C457DB27C92587ECA6B077550A985C1FABA16C73FA48B0D71AF430C0F11A1BEB53257
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2s:
3.131.207.170:20027
3.23.182.29:20027

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73335/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.21820.29866.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Unauthorized injection to a recently created process
Launching a process
Result
Threat name:
Nanocore Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497305
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300836 Sample: outstanding Invoices.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 47 3.tcp.ngrok.io 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 17 other signatures 2->67 10 outstanding Invoices.exe 7 2->10         started        14 Client-built.exe 2->14         started        16 dhcpmon.exe 2->16         started        signatures3 process4 file5 41 C:\Users\...\outstanding Invoices.exe.log, ASCII 10->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\Xxl.dll, PE32 10->43 dropped 45 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 10->45 dropped 77 Injects a PE file into a foreign processes 10->77 18 outstanding Invoices.exe 5 10->18         started        signatures6 process7 file8 33 C:\Users\user\AppData\...\Client-built.exe, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\Temp\Bin.exe, PE32 18->35 dropped 21 Client-built.exe 15 4 18->21         started        25 Bin.exe 1 10 18->25         started        process9 dnsIp10 49 18.220.222.33, 20027, 22918, 49749 AMAZON-02US United States 21->49 51 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 21->51 53 192.168.2.1 unknown unknown 21->53 69 Antivirus detection for dropped file 21->69 71 Multi AV Scanner detection for dropped file 21->71 73 Machine Learning detection for dropped file 21->73 75 3 other signatures 21->75 28 schtasks.exe 21->28         started        55 3.tcp.ngrok.io 3.131.207.170, 20027, 49743, 49761 AMAZON-02US United States 25->55 57 3.22.53.161, 20027, 49750, 49754 AMAZON-02US United States 25->57 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 25->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, data 25->39 dropped file11 signatures12 process13 dnsIp14 59 1.2.3.4 CLOUDFLARENETUS Australia 28->59 31 conhost.exe 28->31         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 03:51:42 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xe4dbduqr5sc7axlft6wqoug7t5qtvjf5bsycdovv5rvz6v5gfpq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2801e23864a2d65490e0ef7663d0d0e4292242f84d8368f0cdeefa868c375521
NanoCore
354fd3500b12f4f9c10b5b8c43c9bddb05e30cad2443f77db91eeb0cda7188b8
NanoCore
572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
NanoCore
6f8b5cad56d107434291b260c5483479d0ac1d02498d5bfad7468a02dc7fc19d
NanoCore
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
NanoCore
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
NanoCore
9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e
NanoCore
c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01
NanoCore
dca205ee15b1128bf97fa8660ee3240f4283109cd8e4d4334c394766449b6e15
NanoCore
fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
NanoCore
+ 1'572 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence family:quasar
Link:
https://tria.ge/reports/201020-agwvrqgv66/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
NanoCore
Quasar RAT
Malware Config
C2 Extraction:
3.tcp.ngrok.io:20027
Unpacked files
SH256 hash:
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
MD5 hash:
2586e8864b73757a32448e512ed5a30f
SHA1 hash:
3a86bafbf64c0b9fd62a564fd02c4c6d019039f7
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
SH256 hash:
89dc9a3545c5ef426744d43731e5760d92f38b380173c48a7af57967032c5fa4
MD5 hash:
5b4f5aa68549efbc77edef4c1c039efd
SHA1 hash:
180468bd701dd9745ceae68a53dbe399b58eb11a
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
SH256 hash:
e0becb3532bd89ede90dc881735c824e66df23a639a21ecebdddc20b93e69da3
MD5 hash:
407ec810e825f2dfb808723bd5aaa372
SHA1 hash:
5497c6a174100ded672ddb76013d97bb806fe455
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
SH256 hash:
2505ef5df6ce33fe83353017cc803280208c27237c5ad72504e125fc5a3d4e3b
MD5 hash:
e22029f0d0c874d4bbd02111f83bd695
SHA1 hash:
a8abc813cc98c3f8c85e841d53af93692c413f4d
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
SH256 hash:
f86c49d95f6a57010a0048b0ff1f054de35e581e3b72a276fc81838ffd2f2f73
MD5 hash:
8da5165be6c5e84fc4a2de48fc325194
SHA1 hash:
d4760184de5612b674664c31d4fb66df3063b81f
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
Parent samples :
572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
dca205ee15b1128bf97fa8660ee3240f4283109cd8e4d4334c394766449b6e15
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
SH256 hash:
30140c3bf5874d7d184b15513016f9de1524ae95a5efe9a1cb15bad6d6936d64
MD5 hash:
03847d82611bc6461cbb99ca768828f1
SHA1 hash:
39859a3fd3326520dfd1ed10456bb227933a8871
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/2859542d-68cd-4768-877b-2c429037dc36/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73335/

Comments