MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01
SHA3-384 hash: 34626f6a0788818733c5c4e832bd5fd62bf9f591510828a870ab06bbdbd007151f4aa87146b2f0a0d9e05a1ac01fcade
SHA1 hash: f01c8b11a3964913d827d612557410766029db08
MD5 hash: b346b95b211c8da43f5a8d3ed6f600fd
humanhash: california-mexico-idaho-mars
File name:Request.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:615'424 bytes
First seen:2020-11-30 14:51:08 UTC
Last seen:2020-11-30 17:17:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:JO/X/FYk/MslwOUU6zYL1AWjkamwhvQK1isY3dFexKiQO/wgQqROU3BF5EEhSL04:JOPd/tYPz+FNY3vedxwyOUr5Lgx
Threatray 1'366 similar samples on MalwareBazaar
TLSH 0DD47C17B75C8FA4D96C72BB03E5EB112354E5E732108F6A174B9B2896932C76E0D338
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nanocore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106060/
Detection(s):
SecuriteInfo.com.FileRepMalware.15458.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550982
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324608 Sample: Request.exe Startdate: 30/11/2020 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 7 other signatures 2->75 9 Request.exe 2 2->9         started        13 dhcpmon.exe 2->13         started        process3 file4 59 C:\Users\user\AppData\...\Request.exe.log, ASCII 9->59 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->87 15 cmd.exe 1 9->15         started        17 cmd.exe 2 9->17         started        20 conhost.exe 13->20         started        signatures5 process6 file7 22 window.exe 1 15->22         started        25 conhost.exe 15->25         started        57 C:\Users\user\AppData\Roaming\window.exe, PE32 17->57 dropped 27 conhost.exe 17->27         started        process8 signatures9 77 Multi AV Scanner detection for dropped file 22->77 79 Uses cmd line tools excessively to alter registry or file data 22->79 81 Writes to foreign memory regions 22->81 83 3 other signatures 22->83 29 InstallUtil.exe 1 8 22->29         started        34 cmd.exe 1 22->34         started        36 cmd.exe 1 22->36         started        38 8 other processes 22->38 process10 dnsIp11 65 new8855.duckdns.org 79.134.225.76, 49730, 49733, 49734 FINK-TELECOM-SERVICESCH Switzerland 29->65 67 127.0.0.1 unknown unknown 29->67 61 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 29->61 dropped 63 C:\Program Files (x86)\...\dhcpmon.exe, PE32 29->63 dropped 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->89 91 Uses cmd line tools excessively to alter registry or file data 34->91 40 reg.exe 1 1 34->40         started        43 conhost.exe 34->43         started        45 conhost.exe 36->45         started        47 reg.exe 1 36->47         started        49 conhost.exe 38->49         started        51 reg.exe 38->51         started        53 conhost.exe 38->53         started        55 12 other processes 38->55 file12 signatures13 process14 signatures15 85 Creates an undocumented autostart registry key 40->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 14:50:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zszdqvc6gufwzebilrpp6fw7atoq3jtywwdwcpb7jzhzxrdztuaq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1d544377caff885efdc6f149a99a0ae48d03cad19f3b7eb040ec6a90058556bd
NanoCore
21355c7eb596e21724d0a59545db0faf6219b858986cb5b0162201f54288ebb8
NanoCore
2c76a946613af327c39bc27c9eadbdc130c649ec0b34a21db170b0bd6662f7bc
NanoCore
68ae61de8b2ab8c34ba06d34a09d487408f09d8b75a79c04df4fe7842de0716d
NanoCore
6ed6aebe6d0b839ab5a5bebad7d58d72445146afa8ee9742f9b0e287f007b3c4
NanoCore
86432e782ec0089c5cc180a225cf8aff59409c0ef773c0e10e6ddf898b0508bd
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
c8718b1795499f8f6958c2665914bd1320a4a3a6b039f00d19ab7ca283ffb968
NanoCore
ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51
NanoCore
ed6ea055c622adab41b5eba73b4d556c4c843b9e77e21933297ca0ce972ce5c4
NanoCore
+ 1'356 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201130-2b2vze9g6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
new8855.duckdns.org:9922
127.0.0.1:9922
Unpacked files
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/fc46d4df-72bf-4b0a-b01f-8d8b92ee0b64/
SH256 hash:
fbe930d137c1ec5edb0579bb6ee3125f54b515ad705d8a70dd57645b0618db63
MD5 hash:
1068c6788ef7c1a657eecb34c9a20aa0
SHA1 hash:
ade54b7cc9f729ec470615e6c4d04347a3b81cc5
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/fc46d4df-72bf-4b0a-b01f-8d8b92ee0b64/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/fc46d4df-72bf-4b0a-b01f-8d8b92ee0b64/
SH256 hash:
ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01
MD5 hash:
b346b95b211c8da43f5a8d3ed6f600fd
SHA1 hash:
f01c8b11a3964913d827d612557410766029db08
Link:
https://www.unpac.me/results/fc46d4df-72bf-4b0a-b01f-8d8b92ee0b64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106060/

Comments