MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
SHA3-384 hash: df5753383b30edf5316e79542c8665d4abd5f420f63542433c17eeeaf0cd2d27554420120c5cb5a24e30e6f883e1ce2a
SHA1 hash: 4f714f9626387b31dca17ed437c78896ec3c7cd0
MD5 hash: ba4aca8c6a00aaf83f5e64f39af02182
humanhash: kitten-purple-nine-happy
File name:CV.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:773'120 bytes
First seen:2022-07-19 14:20:53 UTC
Last seen:2022-07-19 14:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:r/oNCWb2gb3IU3SrsYdIiUj5CW8hLIBnfJdMm7+X0PGynfKAHpARaFlSNSD3:DosO92HdIXjcnAdMm7+YZfLJaaQSD3
Threatray 4'356 similar samples on MalwareBazaar
TLSH T184F4238237E49505C6BF0F3BA472964027B1EB9234A2E7DF7D90639E0C973498A11F67
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
208.67.104.253:5899

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
208.67.104.253:5899 https://threatfox.abuse.ch/ioc/838693/

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
Professional CV.IMG
Verdict:
Malicious activity
Analysis date:
2022-07-19 17:59:14 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/cfbdf896-7fd5-4f2d-8062-91165e6f0eca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291887/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.5417.29606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6be60ef2b0e63a8264e14/reports/84384adb-57ab-497e-b554-040abdf885c3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc3da858-26a4-4e7f-a22d-b9a6d6e14d02
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036561
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669055 Sample: CV.exe Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 76 brewsterchristophe.ddns.net 2->76 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 12 other signatures 2->88 9 CV.exe 7 2->9         started        13 CV.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\kDkUsZDhchjz.exe, PE32 9->68 dropped 70 C:\Users\...\kDkUsZDhchjz.exe:Zone.Identifier, ASCII 9->70 dropped 72 C:\Users\user\AppData\Local\...\tmp9904.tmp, XML 9->72 dropped 74 C:\Users\user\AppData\Local\...\CV.exe.log, ASCII 9->74 dropped 92 Uses schtasks.exe or at.exe to add and modify task schedules 9->92 94 Adds a directory exclusion to Windows Defender 9->94 96 Injects a PE file into a foreign processes 9->96 19 CV.exe 1 15 9->19         started        24 powershell.exe 24 9->24         started        26 schtasks.exe 1 9->26         started        28 powershell.exe 13->28         started        30 schtasks.exe 13->30         started        32 CV.exe 13->32         started        34 powershell.exe 15->34         started        36 2 other processes 15->36 38 3 other processes 17->38 signatures6 process7 dnsIp8 78 brewsterchristophe.ddns.net 208.67.104.253, 49768, 49791, 49837 GRAYSON-COLLIN-COMMUNICATIONSUS United States 19->78 80 192.168.2.1 unknown unknown 19->80 62 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->64 dropped 66 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->66 dropped 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->90 40 schtasks.exe 19->40         started        42 schtasks.exe 19->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 2 other processes 38->56 file9 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 14:21:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywodw7tbv43jpgx6bfbrbqdoertxs5oqoatozgxqpp66otnhss3a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
21281c48dd7beeb19d22aef27f4d77f79c550fc32acc69d4c3b91966cc8a048b
NanoCore
391a88a9491f588c3d283e5c9a54d8cfd4f2facd2e98457a38775ea585b0a299
NanoCore
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
NanoCore
6bdbf82319b9c14df59cbbe82c0b79db631510cef4f2e6a6735eeb0e329fd943
NanoCore
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
NanoCore
aad767fb72b5d095c435ec086efb56afff9018ca22cf2023f75e95bb3bdbbecb
NanoCore
f9f0ee1a3ac1ae5260be8397d9b610b960971a9df353f41be9fa4596aff5eff3
NanoCore
+ 4'346 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220719-rnzkrseggn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
Unpacked files
SH256 hash:
04d2bb57bc7c7172c44e2c93381b72cb4bc9cd50430da463c9c35c4ac6d2f35f
MD5 hash:
e3eb4a7125cd1bba7c4ea8ac54142537
SHA1 hash:
edbff3cdf7397f2c13a5338e11caffc7ce5c7524
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
SH256 hash:
002c1ea7d37e537340f74f9b32cde7b88417bfa6951a37bcd65698c28e51db83
MD5 hash:
a28fa5f6df21c193f82635a08b619b36
SHA1 hash:
4b34c539b30cad925cacfe7c29715ee811202359
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
SH256 hash:
1705f8964f5c236633462fd39a5014dab266d579d4c6eefb65ac1ce95e22c552
MD5 hash:
23e4d54d6d369f1cef788806c92f512a
SHA1 hash:
274d8ceb73e8ed7661451c8aba24cecd830cd302
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
Parent samples :
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
SH256 hash:
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
MD5 hash:
ba4aca8c6a00aaf83f5e64f39af02182
SHA1 hash:
4f714f9626387b31dca17ed437c78896ec3c7cd0
Link:
https://www.unpac.me/results/43dc8f39-c3bf-4012-8529-bd8bbb141a5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291887/

Comments