MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
SHA3-384 hash: 5dfa581d6231c01ac7a0967a0a1df0297f3fe937262da64f66e8cd72e4e829a574a966f0c895f7320704fe2b7e8dd94d
SHA1 hash: 29ff646c7c04a2be614bdbe87f73df87add78dda
MD5 hash: 303e92008ea45abde4fc35d8d176015d
humanhash: autumn-uniform-texas-queen
File name:DHL_file 187652345643476245.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:668'672 bytes
First seen:2021-01-06 07:59:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:plckliODxvkrhDdyquS7xY+R/3HMCX7ehD4Yym6D3V2i7LkuotFN5:p+kliXIqh7x7R/XMKqxvyfFI
Threatray 185 similar samples on MalwareBazaar
TLSH 74E4D013B7898B91D461F5FB03E6FF42235AF4D732D2871A07699712A9973C22E4E309
Reporter abuse_ch
Tags:DHL exe Hostwinds NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: hwsrv-816835.hostwindsdns.com
Sending IP: 104.168.174.166
From: DHL Express <sales@gommcp.com>
Subject: 紧急 - DHL Shipment Document
Attachment: DHL_file 187652345643476245.iso (contains "DHL_file 187652345643476245.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_file 187652345643476245.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 08:05:19 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/66cfdb11-681e-4dc3-aa9d-2962b1943393

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110706/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574948
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336532 Sample: DHL_file 187652345643476245.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 8 DHL_file 187652345643476245.exe 8 2->8         started        process3 file4 40 C:\Users\user\AppData\Roaming\demiusda.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->42 dropped 44 C:\Users\...\demiusda.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\...\DHL_file 187652345643476245.exe.log, ASCII 8->46 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->64 12 demiusda.exe 5 8->12         started        signatures5 process6 file7 48 C:\Users\user\AppData\...\watchprcss.exe, PE32 12->48 dropped 66 Multi AV Scanner detection for dropped file 12->66 68 Writes to foreign memory regions 12->68 70 Allocates memory in foreign processes 12->70 72 2 other signatures 12->72 16 AddInProcess32.exe 6 12->16         started        20 watchprcss.exe 12->20         started        22 watchprcss.exe 2 12->22         started        24 6 other processes 12->24 signatures8 process9 dnsIp10 50 185.157.160.233, 2020 OBE-EUROPEObenetworkEuropeSE Sweden 16->50 52 annapro.linkpc.net 105.112.113.90, 2020 VNL1-ASNG Nigeria 16->52 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 16->38 dropped 54 192.168.2.1 unknown unknown 20->54 26 watchprcss.exe 20->26         started        28 watchprcss.exe 22->28         started        30 watchprcss.exe 24->30         started        32 watchprcss.exe 24->32         started        34 watchprcss.exe 24->34         started        36 3 other processes 24->36 file11 process12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 08:00:08 UTC
AV detection:
10 of 44 (22.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytn6ytan6oa45yq4foqnmec3b5zrbshrbdtg4b4n6cwuqayur63a._file
Verdict:
suspicious
Similar samples:
09cfbae308d3cbdf17c9c71920feee15faac8ae3c78cf70d88fffbe49e166f4e
NanoCore
0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2
NanoCore
139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2
NanoCore
144e3b521adb2f66b50fd33944e006ed93078559a0469ef44efad381d4865555
NanoCore
19d7b16a0a50b6eb2e79a6d04f1f4f8b17c9e82162ccdc0778cb0934af5b5657
NanoCore
7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
NanoCore
f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b
NanoCore
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
NanoCore
f2475f5a4b0adee960b88ced8bdf3d8ab9a852fc084cecbaf9ba539bc27a4517
NanoCore
ffd7be5ae67afdf3142cdcd69f24c09aecf699af284779f7bfe476dcaa8e2127
NanoCore
+ 175 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210106-99edjk1f66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
185.157.160.233:2020
annapro.linkpc.net:2020
Unpacked files
SH256 hash:
c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
MD5 hash:
303e92008ea45abde4fc35d8d176015d
SHA1 hash:
29ff646c7c04a2be614bdbe87f73df87add78dda
Link:
https://www.unpac.me/results/34ce2b60-a28c-49e4-ae59-da330aabef5f/
SH256 hash:
d3b379bee086c7ec93dc0ccd08ac239ad421fc55df5a2c3a7d9c2056f32fb38b
MD5 hash:
74dddc482650e2d72158f9945e9a32c4
SHA1 hash:
50c768c7ca483f7ea7ebf348f5a6ac913e32a7be
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/34ce2b60-a28c-49e4-ae59-da330aabef5f/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/34ce2b60-a28c-49e4-ae59-da330aabef5f/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/34ce2b60-a28c-49e4-ae59-da330aabef5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 0899087aea9881758b10b878aa7dfd6089bdb5a046654250ecc53c751c167131

NanoCore

Executable exe c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6

(this sample)

  
Dropped by
MD5 bbd7a2b33029a3bb4f08c2612a5d875b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110706/
  
Dropped by
SHA256 0899087aea9881758b10b878aa7dfd6089bdb5a046654250ecc53c751c167131

Comments