MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c52185f84a0dee6e455bef32b2c54c41f9d1342e4446d0154a8dcded9998f6d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c52185f84a0dee6e455bef32b2c54c41f9d1342e4446d0154a8dcded9998f6d6
SHA3-384 hash: e5d37de96d68b6fc96c80cb6f41cbd749f6341cccf3e6d63f9f63772ab12ce3478d91ee9c713be5da885eb8611aeabb9
SHA1 hash: 065192bf3929e54a84b3fc6e30eb01f7efc82dd0
MD5 hash: e67258993090e0f1e2708caf4d36b43e
humanhash: hot-river-william-single
File name:Invoice PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:535'362 bytes
First seen:2021-04-28 14:59:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 64 x GuLoader, 54 x Loki)
ssdeep 12288:XC70ZD9RhBTF+t5ABdY2bHo99MaFLr43/su48s:X40XPhBL2Fks
Threatray 2'566 similar samples on MalwareBazaar
TLSH 31B4BED7D55048E8FC264372643B6C3F0AA3B5B989BC091E52AD72316BA3E9F4037617
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-28 15:11:08 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/f506f50a-072d-4bf8-a978-9b98d4702bdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/145027/
Detection(s):
Win.Malware.Filerepmetagen-9855920-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Deleting a recently created file
DNS request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700817
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399328 Sample: Invoice PDF.exe Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 54 haash.duckdns.org 2->54 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 14 other signatures 2->64 9 Invoice PDF.exe 19 2->9         started        13 dhcpmon.exe 17 2->13         started        15 dhcpmon.exe 17 2->15         started        17 Invoice PDF.exe 17 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\46hvnaso.dll, PE32 9->46 dropped 68 Maps a DLL or memory area into another process 9->68 19 Invoice PDF.exe 1 12 9->19         started        48 C:\Users\user\AppData\Local\...\46hvnaso.dll, PE32 13->48 dropped 24 dhcpmon.exe 3 13->24         started        50 C:\Users\user\AppData\Local\...\46hvnaso.dll, PE32 15->50 dropped 52 C:\Users\user\AppData\Local\...\46hvnaso.dll, PE32 17->52 dropped 26 dhcpmon.exe 2 17->26         started        signatures6 process7 dnsIp8 56 haash.duckdns.org 185.244.30.174, 49718, 49723, 49726 DAVID_CRAIGGG Netherlands 19->56 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, data 19->38 dropped 40 C:\Users\user\AppData\Local\...\tmpAEE7.tmp, XML 19->40 dropped 42 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->42 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->66 28 schtasks.exe 1 19->28         started        30 schtasks.exe 1 19->30         started        44 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 24->44 dropped file9 signatures10 process11 process12 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c52185f84a0dee6e455bef32b2c54c41f9d1342e4446d0154a8dcded9998f6d6/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 14:59:34 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuqyl6ckbxxg4rk354zlfrkmih45cnboirdnafkkrxg63gmy63la._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0559b801a2f46ef7c8566900b2b8c3e1b01a162069e543aff364f4904db8926b
NanoCore
3f6f1635ca9660f24bf4e9527ec6136ed50ad9a8a88e442768143d55eb73a6af
NanoCore
41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
NanoCore
52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63
NanoCore
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
NanoCore
c9b860013650a0c0e6f33841fd050d6af538f94fafce33c33ec65a05ba7ba3dd
NanoCore
de0fa842d520e025262cbd93a9523bee414f8ceb7d79a73da2b2f133fc01346f
NanoCore
ef35e9ee19b48afad15e3a49ba0df682604fe2412830b6f4ac06f2119d57b953
NanoCore
f886c6422b5646eb98dc8dc9ab5ed9f5f09aaee19770ef4be2b576b9ba84efaf
NanoCore
fb01157b437b00f34999faa320bb55c8e44bdbb415e9a15503035bfe0e1d40d6
NanoCore
+ 2'556 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210428-8smdp2hnwe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
haash.duckdns.org:7899
Unpacked files
SH256 hash:
0ee360d008a8b5084af6ee6c42ec3ee1416812b7d445a0cb525e268a55f836e7
MD5 hash:
c1ec5c46b2df434d14f18bf0b0440e1b
SHA1 hash:
817e12366815ed012a0e7218b311be322f3beb02
Link:
https://www.unpac.me/results/733a04ae-ab7b-4e5c-9b8e-29cc3160e6e2/
SH256 hash:
c52185f84a0dee6e455bef32b2c54c41f9d1342e4446d0154a8dcded9998f6d6
MD5 hash:
e67258993090e0f1e2708caf4d36b43e
SHA1 hash:
065192bf3929e54a84b3fc6e30eb01f7efc82dd0
Link:
https://www.unpac.me/results/733a04ae-ab7b-4e5c-9b8e-29cc3160e6e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c52185f84a0dee6e455bef32b2c54c41f9d1342e4446d0154a8dcded9998f6d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/145027/

Comments