MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90f71acd19af5df99fa2694f1eeef65691a8f6555aa621bf9f012d37a8f0d3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c90f71acd19af5df99fa2694f1eeef65691a8f6555aa621bf9f012d37a8f0d3e
SHA3-384 hash: 2326960e46449c3e4ff1f634d885ca9fccba036d5a466650211a7b800dad143ed77624f2c07f00def8c74a22e78f0cea
SHA1 hash: 739f9351fce13518ad07e7358ec86c6f35ce8c21
MD5 hash: ddd2506070a14da5fd0aa61bbbb1a059
humanhash: lion-fillet-carbon-autumn
File name:NewOrderSupplypdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:873'472 bytes
First seen:2021-05-10 04:20:28 UTC
Last seen:2021-05-10 04:52:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:HKupXaPGhhh9QcI5j35U7r2juun+P6spUCMWVH:FpXaphj35C6jfq1SC1V
Threatray 2'373 similar samples on MalwareBazaar
TLSH 8A05D06077D8D999E0BF57769830C0A023F27E5AD262C74F699A760D1EB23834277B07
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
79.134.225.52:5540

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.52:5540 https://threatfox.abuse.ch/ioc/31385/

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/153677/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.9754.6991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/720958
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 409408 Sample: NewOrderSupplypdf.exe Startdate: 10/05/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 9 other signatures 2->38 8 NewOrderSupplypdf.exe 3 2->8         started        11 RegSvcs.exe 2 2->11         started        process3 signatures4 40 Writes to foreign memory regions 8->40 42 Injects a PE file into a foreign processes 8->42 13 RegSvcs.exe 12 8->13         started        18 RegSvcs.exe 8->18         started        20 conhost.exe 11->20         started        process5 dnsIp6 30 79.134.225.52, 49721, 49723, 49724 FINK-TELECOM-SERVICESCH Switzerland 13->30 26 C:\Users\user\AppData\Roaming\...\run.dat, data 13->26 dropped 28 C:\Users\user\AppData\Local\...\tmp93A8.tmp, XML 13->28 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->44 22 schtasks.exe 1 13->22         started        46 Uses schtasks.exe or at.exe to add and modify task schedules 18->46 file7 signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c90f71acd19af5df99fa2694f1eeef65691a8f6555aa621bf9f012d37a8f0d3e/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 04:21:07 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zehxdlgrtl257gp2e2kpd3xpmvurvd3fkwvgeg7z6ajng6upbu7a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02cf189467fdb7246a974e84e0deed6ae1a6e5a592cf7b2dc1895ffb4b60370a
NanoCore
41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
NanoCore
4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
NanoCore
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
NanoCore
69fa6ebff614598a1243cb00bc9a7c69e60fca3c3fd93da4157c418d202f1542
NanoCore
9630854693b8e9d6be3490068ba7c5797232578c1366480c17546079f880e19b
NanoCore
c52ddeac61f16fb23ff925617fba081392b7aabe47c82c765513755d38e62cde
NanoCore
cd78d1b64e4edb7547a10bcd919edafbc9501a6b6bbcfb796946ce03dfeec759
NanoCore
d70c3b1461ede99c050cd585bed7e5dc5ec536ca7b1d4c9a2461408fbefd5849
NanoCore
d9510122ef15d475c69ca539c949d4b8c8002b8f617411854098091106c37119
NanoCore
+ 2'363 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210510-hpkez9v6y2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
79.134.225.52:5540
wealthybillionaire.ddns.net:5540
Unpacked files
SH256 hash:
dc079b42f77256b86578d3ed180e89ebbc49cf2edbd1328d8a40efae8b3b3d36
MD5 hash:
a513c0ba2f5e0553e5fafcbc7251d336
SHA1 hash:
959abec6005eb72f4c2344be20bcab5e890d048e
Link:
https://www.unpac.me/results/ea3fc267-1060-4323-98c4-f10cd05c7928/
SH256 hash:
c90f71acd19af5df99fa2694f1eeef65691a8f6555aa621bf9f012d37a8f0d3e
MD5 hash:
ddd2506070a14da5fd0aa61bbbb1a059
SHA1 hash:
739f9351fce13518ad07e7358ec86c6f35ce8c21
Link:
https://www.unpac.me/results/ea3fc267-1060-4323-98c4-f10cd05c7928/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c90f71acd19af5df99fa2694f1eeef65691a8f6555aa621bf9f012d37a8f0d3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153677/

Comments