MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbaa36e6dfc82d307e840bb2ed3e1322fb07b5086530abee2ae29fa99a355b26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: cbaa36e6dfc82d307e840bb2ed3e1322fb07b5086530abee2ae29fa99a355b26
SHA3-384 hash: e235a8601d3427593457ae2a58d462a45c2a2ed223f3cc7185a239962aed6d270f59eae4f0812024983236086a463d53
SHA1 hash: cc6dfc73f48357a5c0f6e0a2ed50c0efac436be1
MD5 hash: c6eadbeef2558b9cc3620bedd9a44c26
humanhash: robin-october-fruit-connecticut
File name:SecuriteInfo.com.Trojan.Nanocore.23.19592.12914
Download: download sample
Signature NanoCore
File size:258'560 bytes
First seen:2020-08-01 19:29:49 UTC
Last seen:2020-08-02 07:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:o12Ggte+fV9La/LlQCE3wh2mRO1jwCc91TcLpnI:UgbV9u/JUO2mAqCc91TInI
TLSH 3C44CF9C725476DFC82BC876CEA82C64EA6078B7570BC253A46316AD990C9DBCF051F3
Reporter @SecuriteInfoCom
Tags:NanoCore

Intelligence


File Origin
# of uploads :
2
# of downloads :
22
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Sending a UDP request
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Status:
Malicious
First seen:
2018-05-30 15:54:06 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
Extraction:
crc2k18.mooo.com:9004
tuttotone.mooo.com:9004

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe cbaa36e6dfc82d307e840bb2ed3e1322fb07b5086530abee2ae29fa99a355b26

(this sample)

  
Delivery method
Distributed via web download

Comments