MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a
SHA3-384 hash: d8b5eb42f9da82c3cc7b2288703c7729409e0e295748e88476d5b56235d995eb35b100a2b0dc981cf16118bae600f620
SHA1 hash: 1cfb0d2b29a772f7124c9291ab621bff356ad0f8
MD5 hash: bc9a97d3fa4fe78518563424e9922bdb
humanhash: river-winner-seven-robert
File name:PAYMENT-SWIFTCOPY.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:951'336 bytes
First seen:2021-10-29 20:56:08 UTC
Last seen:2021-11-08 11:59:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:iQnk3GDYKGcblwtX+t4Y8P9pyhc3EuLfWd1X1TMtLoYZofwFTIaBojiaeDGs1Zd1:2AOcZwXY9hvubO1X1TMJIoL6i1hFh
TLSH T1991512017BD18873E43329325A35AB246D3D7D202F259A6FB3E4296DCE310D16639BB7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.5.98.32:9829

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.32:9829 https://threatfox.abuse.ch/ioc/237764/

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT-SWIFTCOPY.exe
Verdict:
Malicious activity
Analysis date:
2021-10-29 21:00:18 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/e7ada7bf-4177-4f05-90e1-a223109384c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/60fc2668-119e-4881-858e-a8aa2be7e592
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879617
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Nanocore Rat
Disables UAC (registry)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Bypass UAC via CMSTP
Sigma detected: NanoCore
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512051 Sample: PAYMENT-SWIFTCOPY.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 73 prda.aadg.msidentity.com 2->73 75 cdn.discordapp.com 2->75 89 Malicious sample detected (through community Yara rule) 2->89 91 System process connects to network (likely due to code injection or exploit) 2->91 93 Sigma detected: Powershell adding suspicious path to exclusion list 2->93 95 13 other signatures 2->95 11 PAYMENT-SWIFTCOPY.exe 1 13 2->11         started        14 svchost.exe 2->14         started        17 unnilquadium.exe 2->17         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 63 C:\Users\user\AppData\...\egocentricity.exe, PE32 11->63 dropped 22 cmd.exe 1 11->22         started        103 Changes security center settings (notifications, updates, antivirus, firewall) 14->103 71 cdn.discordapp.com 17->71 65 C:\Windows\Temp\izw24e52.inf, Windows 17->65 dropped file6 signatures7 process8 process9 24 egocentricity.exe 9 22->24         started        27 conhost.exe 22->27         started        file10 61 C:\Users\user\AppData\...\incrustations.exe, PE32 24->61 dropped 29 incrustations.exe 24 9 24->29         started        process11 dnsIp12 87 cdn.discordapp.com 162.159.133.233, 443, 49744, 49745 CLOUDFLARENETUS United States 29->87 67 C:\Users\user\AppData\...\unnilquadium.exe, PE32 29->67 dropped 69 C:\Program Files\Common Files\...\svchost.exe, PE32 29->69 dropped 105 Machine Learning detection for dropped file 29->105 107 Drops PE files to the startup folder 29->107 109 Adds a directory exclusion to Windows Defender 29->109 111 3 other signatures 29->111 34 RegSvcs.exe 29->34         started        39 unnilquadium.exe 29->39         started        41 RegSvcs.exe 29->41         started        43 9 other processes 29->43 file13 signatures14 process15 dnsIp16 77 doc-file.ddns.net 194.5.98.32, 49755, 49756, 49759 DANILENKODE Netherlands 34->77 79 127.0.0.1 unknown unknown 34->79 53 C:\Users\user\AppData\Roaming\...\run.dat, data 34->53 dropped 55 C:\Users\user\AppData\Local\...\tmpC4DB.tmp, XML 34->55 dropped 57 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->57 dropped 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->97 81 162.159.135.233, 443, 49746, 49747 CLOUDFLARENETUS United States 39->81 83 cdn.discordapp.com 39->83 59 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 39->59 dropped 99 Hides threads from debuggers 39->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 41->101 85 192.168.2.1 unknown unknown 43->85 45 AdvancedRun.exe 43->45         started        47 conhost.exe 43->47         started        49 conhost.exe 43->49         started        51 6 other processes 43->51 file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 20:57:06 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yayalwsa7k4zl7vxvnqzsthciinsayle5ctsdev6r44dltbkli5a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211029-zrkvsaager/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
NanoCore
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
doc-file.ddns.net:9829
127.0.0.1:9829
Unpacked files
SH256 hash:
aad510126ff5a5a3d23abc154602cf6f6f980f773487d5cc18f498eec1c326cb
MD5 hash:
b12459c61dab1cc5c6c948e26809972b
SHA1 hash:
073eb9df930aaa2d8b4d6f9a5baf05e96aaa9568
Link:
https://www.unpac.me/results/d2a74638-af9d-41b5-9a29-6d137401e8ae/
SH256 hash:
c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a
MD5 hash:
bc9a97d3fa4fe78518563424e9922bdb
SHA1 hash:
1cfb0d2b29a772f7124c9291ab621bff356ad0f8
Link:
https://www.unpac.me/results/d2a74638-af9d-41b5-9a29-6d137401e8ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments