MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfd31ef9134e969fad9aee0e29b31c57e8d94f459d91bfe740cfa82e455cb5e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfd31ef9134e969fad9aee0e29b31c57e8d94f459d91bfe740cfa82e455cb5e5
SHA3-384 hash: 71c10bd286c7ec0ea05ba0c8ba73a9f22139652b021fc919edbf6f88a91c223b29e694f32f8f7558baafd8f04c4bd769
SHA1 hash: c0dc7a665aba04317defc381cd671b0a7dd74363
MD5 hash: 7cca525aeb8772ed3fb0a57abc2e9790
humanhash: three-apart-kansas-equal
File name:7cca525aeb8772ed3fb0a57abc2e9790.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'959'576 bytes
First seen:2020-12-30 10:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bde921566c38aff240c06ec9dec57320 (5 x NanoCore)
ssdeep 24576:OHcYHn8Vp7WasjQRDKtglGCtVbClQTQhz1ryNEuoaCnS1VisPO7isPN:QH8b7WaYQRDIgFG68hzuEuoaCnk7U7
Threatray 1'476 similar samples on MalwareBazaar
TLSH B295E10714340480DCF4CC75AB2AEA57BF58FE96EAD8F709564AF77AB9339B404309A1
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7cca525aeb8772ed3fb0a57abc2e9790.exe
Verdict:
No threats detected
Analysis date:
2020-12-30 10:56:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b23cd532-3085-4377-a79f-305d4e67adc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109894/
Detection(s):
Win.Dropper.LokiBot-9226067-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Enabling the libraries to load when starting the app (AppInit_DLLs)
DNS request
Creating a file in the Program Files subdirectories
Replacing executable files
Moving a file to the Program Files subdirectory
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Creating a file in the mass storage device
Enabling autorun
Infecting executable files
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Darkcomet Nanocore Netwire
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572058
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to steal Internet Explorer form passwords
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Detected Darkcomet RAT
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected DarkComet
Yara detected Generic Dropper
Yara detected Nanocore RAT
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335095 Sample: cZvalil6kB.exe Startdate: 30/12/2020 Architecture: WINDOWS Score: 100 47 freshboy4lifenano.duckdns.org 2->47 49 freshboy4lifemoney.duckdns.org 2->49 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 13 other signatures 2->71 9 cZvalil6kB.exe 1 2->9         started        12 dhcpmon.exe 3 2->12         started        signatures3 process4 file5 85 Detected unpacking (changes PE section rights) 9->85 87 Detected unpacking (overwrites its own PE header) 9->87 89 Detected Darkcomet RAT 9->89 91 6 other signatures 9->91 15 cZvalil6kB.exe 5 9->15         started        45 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->45 dropped signatures6 process7 dnsIp8 61 127.0.0.1 unknown unknown 15->61 31 C:\Users\user\AppData\Local\Temp31EW.EXE, PE32 15->31 dropped 33 C:\Users\user\AppData\...\BORNSTUNNER.EXE, PE32 15->33 dropped 63 Installs a global keyboard hook 15->63 20 NEW.EXE 5 15->20         started        24 BORNSTUNNER.EXE 1 10 15->24         started        file9 signatures10 process11 dnsIp12 35 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 20->35 dropped 37 C:\Users\user\AppData\...\53BBCCC17C8.tmp, PE32 20->37 dropped 39 C:\Program Files\Common Files\...\symsrv.dll, PE32 20->39 dropped 73 Antivirus detection for dropped file 20->73 75 Multi AV Scanner detection for dropped file 20->75 77 Contains functionality to log keystrokes 20->77 79 Contains functionality to steal Internet Explorer form passwords 20->79 27 Host.exe 1 20->27         started        51 freshboy4lifenanobackup.duckdns.orgfreshboy4lifenanobackup.duckdns.org 24->51 53 freshboy4lifenano.duckdns.org 24->53 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 24->43 dropped 81 Machine Learning detection for dropped file 24->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->83 file13 signatures14 process15 dnsIp16 55 freshboy4lifenanobackup.duckdns.orgfreshboy4lifenanobackup.duckdns.org 213.183.40.21, 3565, 5746 MELBICOM-EU-ASMelbikomasUABNL Lithuania 27->55 57 freshboy4lifemoney.duckdns.org 27->57 59 192.168.2.1 unknown unknown 27->59 93 Antivirus detection for dropped file 27->93 95 Multi AV Scanner detection for dropped file 27->95 97 Contains functionality to log keystrokes 27->97 101 2 other signatures 27->101 signatures17 99 Uses dynamic DNS services 55->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfd31ef9134e969fad9aee0e29b31c57e8d94f459d91bfe740cfa82e455cb5e5/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2020-12-27 07:22:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7jr56itj2lj7lm25yhctmy4k7unst2ftwi37z2az6uc4rk4wxsq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
15f62d30d278ab652445fe389d4840af6b4be0d054aa24cf1debe958abaf4f49
NanoCore
4300bf267e8d21ee9c7b0d906b2da7545cb5b670bc2506edc6ea97132eefe10e
NanoCore
43b7ad6fd23489f738b0071bf1cc97be6582cc525cb5837b231484c78fb02e31
NanoCore
45758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
NanoCore
6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33
NanoCore
822551723b7ae035394003750ee9cd16e1c12af0e07067f7d0760bd99c110898
NanoCore
a5e7773e86e1f8feacc75ced3053ac3d44af73d5b2ec72005c7ba2cd465f1ef3
NanoCore
c4814643da678ac9446ec619e269db1ccd32ebf1fa81f1d6ea8c7bc2c4e739ce
NanoCore
db07bff94b6ace3907b55971ba6234e6b232a66f2efd18425c7e21204025e6e3
NanoCore
e216062353c8bafbbed3e1fa3cd7d154aae43eec2011234f4e20ceb578237f69
NanoCore
+ 1'466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201230-3nxcgn1atn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Unpacked files
SH256 hash:
bfd31ef9134e969fad9aee0e29b31c57e8d94f459d91bfe740cfa82e455cb5e5
MD5 hash:
7cca525aeb8772ed3fb0a57abc2e9790
SHA1 hash:
c0dc7a665aba04317defc381cd671b0a7dd74363
Link:
https://www.unpac.me/results/0c714c4a-7729-41e5-b22e-32cbb4645f7f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109894/

Comments