MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4c568a39e7d764ed403c5fa9315bfc027b578f7649fec4dda4def19848b4a8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	c4c568a39e7d764ed403c5fa9315bfc027b578f7649fec4dda4def19848b4a8e
SHA3-384 hash:	0c73f05f3a20f26a2eb2a748c36b4d73b48ba38b152007c2e4aa85bd46ef3c294a5c6246036059de03642e33962aabb9
SHA1 hash:	cafd135b2c07c8f945cbcf754e36b25fd441d564
MD5 hash:	aa7a244e34009c4c2126f5aa1d21c3eb
humanhash:	bakerloo-bakerloo-five-oxygen
File name:	c4c568a39e7d764ed403c5fa9315bfc027b578f7649fec4dda4def19848b4a8e
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	499'488 bytes
First seen:	2020-06-10 11:45:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:WaUPS56VEJD6LpeJX4Kwbygt96h57KFuJLBQol7GRG8iZVtb8H:WaU+6VEt6sV4Kwbvu8uJLWDGz2H
Threatray	1'843 similar samples on MalwareBazaar
TLSH	DAB48C3A3345441DC56E42B7601AA6C5A77797C23AC3EB9F30EE53588F0379B276708A
Reporter	JAMESWT_WT
Tags:	NanoCore

Code Signing Certificate

Organisation:	DigiCert Assured ID Root CA
Issuer:	DigiCert Assured ID Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	0CE7E0E517D846FE8FE560FC1BF03039
Intelligence:	22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Nanocore-5

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-08 20:30:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ytcwri46pv3e5vadyx5jgfn7yat3k6hxmsp6yto2jxxrtbeljkha._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5

NanoCore

756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4

NanoCore

7d1ce7961e394f55fb7162e18e6cf587faa463d29ba5976eaad83b409f060621

NanoCore

b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a

NanoCore

cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4

NanoCore

dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392

NanoCore

e777a395f2d28d4b57113b46bb4af52ec1e6d1d48342d0fb24a142df1fffbdc7

NanoCore

ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984

NanoCore

f5b99bdcb3a09ccef9455e82dff1902b6913280d293be51d87de78fc418e9f72

NanoCore

+ 1'833 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore agilenet evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-3snj13kvss/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

packservie.giize.com:2021
lineservie.freeddns.org:2021

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample