MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a
SHA3-384 hash:	ec9a22d2b1497a43ef18307640152c2df6e70dc4b91d5836ccccb0432f583ff72e32371b04aa907c61adb8fd71aeff45
SHA1 hash:	690f6e0c955fa27e6e38d56d877d60464d6f56f5
MD5 hash:	8cb0f08b3d07a75b6192fefce30654ef
humanhash:	ceiling-ten-mars-solar
File name:	bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'184'852 bytes
First seen:	2020-11-09 21:41:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:2VbLLG2UKg2aGRe+xazXoWPf8XAuKbr+VeGlR:h9L8s7oWPf8VKb4f
Threatray	1'245 similar samples on MalwareBazaar
TLSH	9F45BFA3DA417A31C67B9AF72D116F640CB35E221327BD774318262FD9276523CA3263
Reporter	seifreed
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.DarkKomet-9789935-0

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Deleting a recently created file

Connection attempt

Launching a tool to kill processes

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a/

Threat name:

Win32.Trojan.NanoBot

Status:

Malicious

First seen:

2020-11-10 00:49:54 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x6aumfwsajjmqqwz32y7romy64nbjtwvi7cldi6jgsycw3xokj5a._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1d41e76da681ad17d46ff9a1fb6f59afb00a8e96df9f2adf42634f05849e6fd2

NanoCore

4492477085185c93963a539b53e4b5b13039562d20131a9a6764c62acf1c8e25

NanoCore

4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470

NanoCore

5c3d4d39b3420ad107704cfc09635b54777bb36b15fb9215d4aa736a55a0cbd0

NanoCore

6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70

NanoCore

a9352a90a15c864ae05d1d1138aff00094883dc44afffc471e837e46fe3eb24e

NanoCore

b8f3cbf0a0b70cb4b78ca6c7506b17b63cca1de782a1897dfba2bd8156303283

NanoCore

bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080

NanoCore

e5e1d72cc6c9b97503fa2d43df4f1da20c97dd1803d86b0ae90312bac9cd0c04

NanoCore

+ 1'235 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-bncj9qjvq6/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Drops file in Program Files directory

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

188.233.47.224:35274

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample