MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c28cba104f491492158eedaf98c27c4f1f16aee1c6a4de5808e4cf9972dec69f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c28cba104f491492158eedaf98c27c4f1f16aee1c6a4de5808e4cf9972dec69f
SHA3-384 hash: acc88cd00fa56b9171c0974b54b300c72038539567cf0a3a3492fcb2266422e0d5daddca33a96762bd211a017578426a
SHA1 hash: 605feea330b6755ad178a381cd7890ec3c2892e2
MD5 hash: 24063c12917262d48919ee8f3a2b3940
humanhash: indigo-pizza-ohio-freddie
File name:524241363INV0ICE.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:3'846'144 bytes
First seen:2021-05-26 16:59:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 1536:aSYFwETHwTGtKf987APyP1t32pqXduJTziqwry3RGzVovG31yi4eFxQnVnqqtq3N:aXFwETBKu
Threatray 248 similar samples on MalwareBazaar
TLSH 4606FD4902A70E8C9F3BBCE19E95D41D0A87CAB45C3FF4456A62186F1794884FB71B3B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.5.97.75:8090

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.97.75:8090 https://threatfox.abuse.ch/ioc/31242/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
524241363INV0ICE.exe
Verdict:
Malicious activity
Analysis date:
2021-05-26 17:10:56 UTC
Tags:
rat nanocore trojan
Link:
https://app.any.run/tasks/1feb17d5-67f6-45a0-adad-8cb37767c28f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162517/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a single autorun event
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792732
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Detected Nanocore Rat
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425132 Sample: 524241363INV0ICE.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 58 omaprilcode.duckdns.org 2->58 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 11 other signatures 2->68 8 524241363INV0ICE.exe 3 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 dnsIp5 50 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->50 dropped 52 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->52 dropped 72 Creates an autostart registry key pointing to binary in C:\Windows 8->72 74 Adds a directory exclusion to Windows Defender 8->74 76 Tries to delay execution (extensive OutputDebugStringW loop) 8->76 78 Drops PE files with benign system names 8->78 19 524241363INV0ICE.exe 8->19         started        24 cmd.exe 8->24         started        26 powershell.exe 24 8->26         started        34 3 other processes 8->34 80 Antivirus detection for dropped file 12->80 82 Multi AV Scanner detection for dropped file 12->82 84 Machine Learning detection for dropped file 12->84 28 powershell.exe 12->28         started        30 powershell.exe 12->30         started        86 Hides threads from debuggers 14->86 56 127.0.0.1 unknown unknown 16->56 54 C:\ProgramData\Microsoft54etwork\...\qmgr.jfm, COM 16->54 dropped 88 Changes security center settings (notifications, updates, antivirus, firewall) 16->88 32 WerFault.exe 16->32         started        file6 signatures7 process8 dnsIp9 60 omaprilcode.duckdns.org 194.5.97.75, 49715, 49716, 49717 DANILENKODE Netherlands 19->60 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->48 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->70 36 conhost.exe 24->36         started        38 timeout.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c28cba104f491492158eedaf98c27c4f1f16aee1c6a4de5808e4cf9972dec69f/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 14:40:24 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ykgluecpjekjefmo5wxzrqt4j4prnlxby2sn4wai4thzs4w6y2pq._file
Verdict:
unknown
Similar samples:
014559c2c1065356e11d627d00585941b39ee3b5cfe37f1063dbf03433084faf
NanoCore
1421f7c867ff97c915fab1236fe5277b3116b426c0102f805fab25ef19fc681c
NanoCore
3bc677cc5b49e7b46557a8ae8989658466afe3f62926c720499a90875760280d
NanoCore
5de88c3cd7bc2693f457838db811e28f744b221f074c1657cee397a0a5ae33b2
NanoCore
71539d77a4c2e58f492d16f513f49d2ac3c9f002ceb1dda0ca70a63e8e33fd88
NanoCore
754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a
NanoCore
79d73d305e1a52c157868e9f0305ae5e6aebb28e43d360334c118fc1640a5b2c
NanoCore
7fd7f40eb596ec6e50350e8b76a874dcd137229bf6cd86f8822fda8b0e7a37cc
NanoCore
9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c
NanoCore
ece0f92110b68a8d7cd1d4a3099011d26d57670923e9e20328def2553ab69cbc
NanoCore
+ 238 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210526-x6lqpqs5se/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
NanoCore
Windows security bypass
Malware Config
C2 Extraction:
omaprilcode.duckdns.org:8090
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c28cba104f491492158eedaf98c27c4f1f16aee1c6a4de5808e4cf9972dec69f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162517/

Comments