MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf5098a21b4d571d2c23727229db27ee1c81216aeddbe59ee391f94154ca33d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baf5098a21b4d571d2c23727229db27ee1c81216aeddbe59ee391f94154ca33d
SHA3-384 hash: 272c7a5884a762c1fb96eabd41886c31db4960c2c1f0f698bd6f767a8bb9e26bc3a747eb1ffb0d1c6a7ca43a99a55cbe
SHA1 hash: 351cacf4769b0665637e3140e7cd6298fc47dca2
MD5 hash: 12a8aedc64d257284518786a1caa579d
humanhash: yellow-kitten-river-nine
File name:stub.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:659'456 bytes
First seen:2020-07-15 08:39:47 UTC
Last seen:2020-07-15 10:13:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:EwM5h4cmg9Bw/b7Fvkc8Qzs8TAzLSUI+Peu6h3D:EwMf4J/PFvh8QAzucmuA
Threatray 1'114 similar samples on MalwareBazaar
TLSH DBE4E110B2858252D5ADBDBED3E391150773B4DB7E33E78677CCA1A82B233859C0971A
Reporter JAMESWT_WT
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25948/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.11135.17695.14217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/baf5098a21b4d571d2c23727229db27ee1c81216aeddbe59ee391f94154ca33d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 08:41:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xl2qtcrbwtkxduwcg4tsfhnsp3q4qeqwv3o34wpohepzifkmum6q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
062cf3944b0b563efc115688ff8910721db670950acf80c0020351b7d97b48c5
NanoCore
09cf9e7b4f32df0516fd394b6cf91e25951633d6ea74140df6697577111889ab
NanoCore
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
732af876d4a5f421064389d615971a380c530252032d40651f058dde13798693
NanoCore
83a8770b696746dc54258ee42b776a69feb8f2bff538b50d840dcbbe9f80cfe5
NanoCore
91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582
NanoCore
a9352a90a15c864ae05d1d1138aff00094883dc44afffc471e837e46fe3eb24e
NanoCore
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
NanoCore
df0c82790a3c6e0f1280a03ba2bc07e239a8119f8ae9d78108ec0bdfa93d8c36
NanoCore
e5e1d72cc6c9b97503fa2d43df4f1da20c97dd1803d86b0ae90312bac9cd0c04
NanoCore
+ 1'104 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence evasion
Link:
https://tria.ge/reports/200715-af1q4swfje/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Drops startup file
NanoCore
Malware Config
C2 Extraction:
meeti12.hopto.org:5600
meeti.duckdns.org:5600
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe baf5098a21b4d571d2c23727229db27ee1c81216aeddbe59ee391f94154ca33d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/25948/
  
URLhaus
https://urlhaus.abuse.ch/url/413096/
  
Delivery method
Distributed via web download

Comments