MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff
SHA3-384 hash: 2260e56eb994cf015e50fbafcb934c1c7108522e12a982f5a562ea256ded80341dfc7832526d9c9bbeda3486ce88a6cc
SHA1 hash: a803d959e77cdbec645288fe922d12e6888a209a
MD5 hash: 1d00728cbb02b69a8cad3f032be410c8
humanhash: echo-angel-cardinal-solar
File name:PAYMENTTRF889020022.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:364'461 bytes
First seen:2022-10-11 13:50:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmLE2rXehVTdEMLjtEkzKJg5/mnc52iOu0anAU5hvrBAVGFryDgvMar819nYk:HNl9KhVTtLjmkzufc5D0aBvrXVkgzr85
Threatray 7'379 similar samples on MalwareBazaar
TLSH T1BB7412548A14C523D9E70B7039AED37AADA4D92210F9C75F5BB09EAC7C22252DE0DB43
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
37.0.14.210:6060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.14.210:6060 https://threatfox.abuse.ch/ioc/878106/

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318973/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42512/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634574c767135c9da24657ce/reports/f5385e7c-9589-4f54-a5d0-720f36ee186a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06b8e112-48d4-45c9-855b-771aee2f5f61
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088044
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Executable has a suspicious name (potential lure to open the executable)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff/
Threat name:
Win32.Trojan.Elevator
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 11:44:59 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yp5ywifpidr2nec2cginmv55ojocihx2hwi5bqhbkrxsxcxiul7q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1b8211b6c45db62e042398a3d94c429941a3f91b26736cd4fdcb712b70d2c194
NanoCore
1feec92d18902bbc841954145ee920e2dff92ed61759b17e451d8e59b95336ef
NanoCore
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
NanoCore
b34fa89e905c433fba20cea1f354208d0e2d4d3bf68796ce12cc53288302a69b
NanoCore
e527276384d145defb319a3c2adeb52e7825e5a7f8f7459ebc368c31a4018f03
NanoCore
fc0b31c02af9d2ce1c9e0b408777044c7cbc917e82be46ce486550023a083f15
NanoCore
+ 7'369 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221011-q5tkeagea4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
NanoCore
Malware Config
C2 Extraction:
37.0.14.210:6060
127.0.0.1:6060
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/95f55a69-bed0-46ec-84e0-806334a801af
Unpacked files
SH256 hash:
bfa00337f8bd225aadea7f94fa86584133ea36468a8ffaf2684e873f9838e91f
MD5 hash:
c496a41be190dd2f0de32243f785c1e9
SHA1 hash:
261ae81be71edcbfc45501c2e4f2795649ccf008
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/ab2029e3-10a4-42e6-8b68-db544b9c8430/
SH256 hash:
43e813371446bdfc34b3da56142e6c8c1cb54049f53d0fb0fbe5a520a3dd0778
MD5 hash:
b3471bbdf56bbb749e3f352ece42e150
SHA1 hash:
1b63de7e6eaa5289437b678d941426cc35873bfb
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/ab2029e3-10a4-42e6-8b68-db544b9c8430/
SH256 hash:
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8
MD5 hash:
8dca1faf45a7de90e2a67b3c724d9c14
SHA1 hash:
a48123b3a5e70f484566e55d92f2772e34393b92
Link:
https://www.unpac.me/results/ab2029e3-10a4-42e6-8b68-db544b9c8430/
SH256 hash:
c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff
MD5 hash:
1d00728cbb02b69a8cad3f032be410c8
SHA1 hash:
a803d959e77cdbec645288fe922d12e6888a209a
Link:
https://www.unpac.me/results/ab2029e3-10a4-42e6-8b68-db544b9c8430/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3fb8b20af40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318973/

Comments