MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
SHA3-384 hash: 72a20d28d67ba39665d09bfd88cefb494637a53d1fa1c1fd6323ee1d290a592211427ef080868470710c354ce0223d0b
SHA1 hash: 45cee56741e1a32b98ee0c9a1eed45f06aed9740
MD5 hash: 6f4bd9654da82fcf56fbd63491b119de
humanhash: uranus-video-lithium-red
File name:NEWORDERTHP000002228.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:155'648 bytes
First seen:2021-08-23 13:53:43 UTC
Last seen:2021-08-25 17:26:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fab4938ac1c8c9d7cabba8b6fe9c5ef2 (1 x GuLoader, 1 x NanoCore)
ssdeep 1536:aFeaGyU8J6YVVcGx//Zhwae4EjXc9mk4TaTxGcGPXGpeptyNx7:anUPYVbjXe4MBXBTw
Threatray 4'295 similar samples on MalwareBazaar
TLSH T16EE373676A018828D15D68F074346BA23305FF0762485FEF7190FEB87A758A7B8A570F
dhash icon d2fefefefcf8d2c3 (2 x NanoCore, 1 x GuLoader)
Reporter Anonymous
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEWORDERTHP000002228.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-23 08:30:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5dbd95e1-e541-449e-b251-e5753200a821

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181509/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e85206b-c3ac-4d21-b572-557e76bc3c9d
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837568
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469999 Sample: NEWORDERTHP000002228.exe Startdate: 23/08/2021 Architecture: WINDOWS Score: 100 47 northside.hopto.org 2->47 49 s3-r-w.us-east-2.amazonaws.com 2->49 51 luv1.s3.us-east-2.amazonaws.com 2->51 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 8 other signatures 2->65 9 NEWORDERTHP000002228.exe 1 2->9         started        12 Wellingtonia.exe 2->12         started        14 Wellingtonia.exe 2->14         started        16 RegAsm.exe 4 2->16         started        signatures3 process4 signatures5 75 Writes to foreign memory regions 9->75 77 Tries to detect Any.run 9->77 79 Hides threads from debuggers 9->79 18 RegAsm.exe 1 22 9->18         started        81 Antivirus detection for dropped file 12->81 23 RegAsm.exe 1 12->23         started        25 RegAsm.exe 1 14->25         started        27 RegAsm.exe 14->27         started        29 conhost.exe 16->29         started        process6 dnsIp7 53 northside.hopto.org 23.105.131.236, 49718, 49726, 49727 LEASEWEB-USA-NYC-11US United States 18->53 55 s3-r-w.us-east-2.amazonaws.com 52.219.105.202, 443, 49717 AMAZON-02US United States 18->55 57 luv1.s3.us-east-2.amazonaws.com 18->57 41 C:\Users\user\...\Wellingtonia.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp5EAF.tmp, XML 18->45 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 18->67 69 Tries to detect Any.run 18->69 71 Hides threads from debuggers 18->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->73 31 schtasks.exe 1 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file8 signatures9 process10 process11 39 conhost.exe 31->39         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-22 22:53:13 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
NanoCore
1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294
NanoCore
3ee7986c2ffb27457b0e9d270fdd477c953c310503fffc27aed1aa8cc6e8c70d
NanoCore
429a766fbf315ee6e6ec01e3a36cc39a66b14c3c71d2a5de94f5fbd2212367dd
NanoCore
5c4943289a1959b03d31592b147472be4d31a2637316b7bbe102412082619502
NanoCore
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
NanoCore
7aac0d666b2552cb06d944ea7c54852070a9434708b221232faff64396b8f70a
NanoCore
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
NanoCore
aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15
NanoCore
ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca
NanoCore
+ 4'285 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210823-s6c4ets87a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
northside.hopto.org:9497
parqan.hopto.org:9497
Unpacked files
SH256 hash:
bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
MD5 hash:
6f4bd9654da82fcf56fbd63491b119de
SHA1 hash:
45cee56741e1a32b98ee0c9a1eed45f06aed9740
Link:
https://www.unpac.me/results/4d4af8c3-33b7-4f6c-8026-7778081af124/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bf41232cf8f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/181509/

Comments