MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35
SHA3-384 hash: 59a09948e1076a08b10881b28f5aa152f944ccad0f9c18a8d2838225c10ec2b210a09040da0028a7eeaa783d1767e6a0
SHA1 hash: 0453c4f7c1ecc263e05dac2c9af0c5b83aa5cc93
MD5 hash: 7a8e7ee778dd642ab9f0e81c16af204f
humanhash: idaho-california-missouri-leopard
File name:late-payment.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:475'136 bytes
First seen:2020-07-28 19:59:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:zA3kJ79bwEPgxesXTq90F2QnCB4H4ljAFpcNXo4Uhc7HQpu2:k+JwpcEq9S2wR4ZAFpc1pUhSH
Threatray 1'250 similar samples on MalwareBazaar
TLSH 8DA46C1146BC8AE3F8EE7CFD15629B180660AC9A9C32E355C21F75F4ED33243D5296CA
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34015/
Detection(s):
Win.Malware.Score-7597125-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400955
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252737 Sample: late-payment.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 67 salespaul.hopto.org 2->67 69 g.msn.com 2->69 71 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->71 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 14 other signatures 2->85 13 late-payment.exe 3 2->13         started        17 RegAsm.exe 2 2->17         started        signatures3 process4 file5 63 C:\Users\user\AppData\Roaming63one, PE32 13->63 dropped 65 C:\Users\user\...65one:Zone.Identifier, ASCII 13->65 dropped 99 Maps a DLL or memory area into another process 13->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->101 19 late-payment.exe 13->19         started        23 RegAsm.exe 8 13->23         started        26 conhost.exe 17->26         started        signatures6 process7 dnsIp8 73 192.168.2.1 unknown unknown 19->73 89 Maps a DLL or memory area into another process 19->89 28 late-payment.exe 19->28         started        31 RegAsm.exe 2 19->31         started        75 salespaul.ddns.net 129.205.112.120, 9036 globacom-asNG Nigeria 23->75 77 salespaul.hopto.org 105.112.45.74, 9036 VNL1-ASNG Nigeria 23->77 59 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 23->59 dropped 61 C:\Users\user\AppData\Local\...\tmpEB7F.tmp, XML 23->61 dropped 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->91 33 schtasks.exe 1 23->33         started        file9 signatures10 process11 signatures12 97 Maps a DLL or memory area into another process 28->97 35 late-payment.exe 28->35         started        38 RegAsm.exe 2 28->38         started        40 conhost.exe 33->40         started        process13 signatures14 87 Maps a DLL or memory area into another process 35->87 42 late-payment.exe 35->42         started        45 RegAsm.exe 35->45         started        process15 signatures16 95 Maps a DLL or memory area into another process 42->95 47 late-payment.exe 42->47         started        50 RegAsm.exe 42->50         started        process17 signatures18 103 Maps a DLL or memory area into another process 47->103 52 late-payment.exe 47->52         started        55 RegAsm.exe 47->55         started        process19 signatures20 93 Maps a DLL or memory area into another process 52->93 57 RegAsm.exe 52->57         started        process21
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 20:01:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzqndwj23rzvvgs4lhiy53hwyqjewtrswotqjo3vjzequk7v5m2q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b
NanoCore
258856f05819789b47e0bed58b1df479976a355cd30b953b23f9e2f5d286578a
NanoCore
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
55374abf463b7c308310fc62d2d25da0059234c002669bae24a710cf695be746
NanoCore
7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da
NanoCore
8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf
NanoCore
cf2ae6336471a78f6df77e11aaf70256bbdf16c64392c615e1ab2b3fbacce71a
NanoCore
d177132fa7941febe11431bb8dd897e86464eaac755b8e693ceba29be0f90afa
NanoCore
f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211
NanoCore
+ 1'240 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200728-fya8qxrwqa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
salespaul.hopto.org:9036
salespaul.ddns.net:9036
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z c65ba3a01a8ea83e7ce5c0eadf9193b78ae8900b1e2eb70f498b2bc2925633b7

NanoCore

Executable exe c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c65ba3a01a8ea83e7ce5c0eadf9193b78ae8900b1e2eb70f498b2bc2925633b7
Cape
Cape
https://www.capesandbox.com/analysis/34015/

Comments