MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f
SHA3-384 hash: a6ea54d2f3aa133f6a83127686c1716892931608b610eaa8de38edac9417fbc87c7e2dc83f61192ee8ebf0f30f649f31
SHA1 hash: 70652961654d240e149d65503fa58728d46495f4
MD5 hash: 28b67b46aab239d7756bc3197a405bde
humanhash: delaware-beryllium-avocado-monkey
File name:SecuriteInfo.com.CIL.HeapOverride.Heur.30379
Download: download sample
Signature NanoCore
Create hunting rule
File size:862'208 bytes
First seen:2020-07-17 20:57:10 UTC
Last seen:2020-08-02 07:34:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fRYrMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnmI2k4zUk6jMwHLMHCk/fE23sN2/:fyrvxguwcLjrQMwH4HCkvcN
Threatray 1'093 similar samples on MalwareBazaar
TLSH 1F053AF7A74991CEC49FDEBCC4920B700987ED85E1F9920B02537C36363A7A1D9850AB
Reporter SecuriteInfoCom
Tags:NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27571/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.30379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389212
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246800 Sample: SecuriteInfo.com.CIL.HeapOv... Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 12 other signatures 2->51 8 SecuriteInfo.com.CIL.HeapOverride.Heur.exe 7 2->8         started        12 SecuriteInfo.com.CIL.HeapOverride.Heur.exe 2 2->12         started        process3 file4 29 C:\Users\user\AppData\...\mZtpUGulCG.exe, PE32 8->29 dropped 31 C:\Users\...\mZtpUGulCG.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmp3872.tmp, XML 8->33 dropped 35 SecuriteInfo.com.C...erride.Heur.exe.log, ASCII 8->35 dropped 53 Injects a PE file into a foreign processes 8->53 14 SecuriteInfo.com.CIL.HeapOverride.Heur.exe 10 8->14         started        19 schtasks.exe 1 8->19         started        21 SecuriteInfo.com.CIL.HeapOverride.Heur.exe 2 12->21         started        signatures5 process6 dnsIp7 39 ufok.duckdns.org 192.169.69.25, 24980, 49714, 49715 WOWUS United States 14->39 41 63.209.33.1, 24980 AS-CHOOPAUS United States 14->41 37 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->37 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 17:45:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sz4zsuki4tlwuetveijymmuk26fk6zrvby4dndizazoa5xrjmxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1583c29f396b51c03866ecbac92dfae57d41c361d8f6f5ae71600a84a4b9033d
NanoCore
23fb5bf57b70184335261dec8c9bd0976ef8c61d843486ffdc5692aa9618e58e
NanoCore
289c596406900aae22ba6b3d5a9d5465e38faebb46698f89def637389f675ae6
NanoCore
6fac11ccc1a67ab04cb4e7477687006e8704c21f5019c9f562be7c8544d90c04
NanoCore
87ed12ca31489f4c5669a05fb47037aebebb7be8688528d4066dd75546ffcc22
NanoCore
c13ebcd5694fe6c489f6c829828bf20c4cc3008da2c75fe2cf39fda68d1024a6
NanoCore
c7434a901ef82dba7f31d229cf40797bae4b6486378262b55120446cf469bfe2
NanoCore
cd0d819c22a2a666d5a05c0162a595fee27f062edf3b3b4070bc193bac9d229b
NanoCore
e16297ef56ee81e53dd0bed2d0891132899dba6b888737f0e21a38b361a34a64
NanoCore
ec89b2b660ea42254a90f3b045dc98bfe6d1733878bd39a2a7030d68de169859
NanoCore
+ 1'083 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200717-j9bv63jt2a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
63.209.33.1:24980
ufok.duckdns.org:24980
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/414143/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27571/

Comments