MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf5c6082a3384bc7cfa397afa6fe19576457a2341ce92c0354455deea96b360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbf5c6082a3384bc7cfa397afa6fe19576457a2341ce92c0354455deea96b360
SHA3-384 hash: 26974cdcc74209c10323a792a90af51e4387ebf358d2ed030f80b4f44bb06fc76eea18f7681e0aef77c9465dc70bd502
SHA1 hash: 5e4e865a3a87195459fb064e15646f3d65de8982
MD5 hash: 29253b26a844fb3f4e3313a5adbd4e21
humanhash: september-ceiling-quiet-golf
File name:BID PRICE.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:932'864 bytes
First seen:2020-10-26 14:48:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1496cafa3f41b8b2ba3e8c456ce5709d (12 x AsyncRAT, 7 x AgentTesla, 6 x Loki)
ssdeep 12288:UcKL9CyOXr2P3tSAD5lDCPjgjAKrUwODsveMbg17P81Mg5c/6EQtU/+:UlbCaffOj29UhDogNH6hUG
Threatray 1'613 similar samples on MalwareBazaar
TLSH 5C158D2EB29148F3F56329789C1B57649D26BE103D24BE462BF4DCC8DF796813839293
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nanocore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79227/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512160
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305284 Sample: BID PRICE.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 12 other signatures 2->94 11 dhcpmon.exe 2->11         started        14 wscript.exe 1 2->14         started        16 BID PRICE.exe 3 2->16         started        process3 signatures4 126 Writes to foreign memory regions 11->126 128 Allocates memory in foreign processes 11->128 130 Maps a DLL or memory area into another process 11->130 18 notepad.exe 11->18         started        20 dhcpmon.exe 11->20         started        22 dhcpmon.exe 11->22         started        24 BID PRICE.exe 3 14->24         started        132 Queues an APC in another process (thread injection) 16->132 27 BID PRICE.exe 1 11 16->27         started        31 notepad.exe 1 16->31         started        33 BID PRICE.exe 3 16->33         started        process5 dnsIp6 35 dhcpmon.exe 18->35         started        39 dhcpmon.exe 20->39         started        108 Writes to foreign memory regions 24->108 110 Allocates memory in foreign processes 24->110 112 Maps a DLL or memory area into another process 24->112 41 BID PRICE.exe 24->41         started        43 BID PRICE.exe 3 24->43         started        45 notepad.exe 1 24->45         started        84 malam.ddns.net 197.210.54.48, 2000 VCG-ASNG Nigeria 27->84 86 197.210.84.22, 2000 VCG-ASNG Nigeria 27->86 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->76 dropped 78 C:\Users\user\AppData\Roaming\...\run.dat, data 27->78 dropped 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->114 116 Drops VBS files to the startup folder 31->116 118 Delayed program exit found 31->118 file7 signatures8 process9 dnsIp10 82 192.168.2.1 unknown unknown 35->82 102 Writes to foreign memory regions 35->102 104 Allocates memory in foreign processes 35->104 106 Maps a DLL or memory area into another process 35->106 47 notepad.exe 35->47         started        50 dhcpmon.exe 35->50         started        52 notepad.exe 39->52         started        54 dhcpmon.exe 39->54         started        56 dhcpmon.exe 39->56         started        58 BID PRICE.exe 41->58         started        signatures11 process12 file13 80 C:\Users\user\AppData\...\zarammmmmmm.vbs, ASCII 47->80 dropped 120 Writes to foreign memory regions 58->120 122 Allocates memory in foreign processes 58->122 124 Maps a DLL or memory area into another process 58->124 61 BID PRICE.exe 58->61         started        63 notepad.exe 58->63         started        65 BID PRICE.exe 58->65         started        signatures14 process15 process16 67 BID PRICE.exe 61->67         started        signatures17 96 Writes to foreign memory regions 67->96 98 Allocates memory in foreign processes 67->98 100 Maps a DLL or memory area into another process 67->100 70 notepad.exe 67->70         started        72 BID PRICE.exe 67->72         started        74 BID PRICE.exe 67->74         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbf5c6082a3384bc7cfa397afa6fe19576457a2341ce92c0354455deea96b360/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 14:48:24 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3p24mcbkgocly7h2hf5pu37bsv3ek6rdihhjfqbvirk552uwwnqa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2b291c2a796d44ced7414c3802083211579b16eed881d205e00b443263a1081d
NanoCore
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680
NanoCore
8359e964cc6f542d0b069ece3e6529726d432b4946e054ac3b1c1bedcef2f7d8
NanoCore
8c597485c8789aeb7f4edef9a49fc83a39346ea4d9f31f51b92f27b77ed8af0d
NanoCore
a97663c4fdf7f3cdf524888ec2952bb015e77484d50627e185e67c8846bd8660
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
e0d6344a846da96882dded2616661ce7b3f4011d05935c64d14e9ccf1a9965e2
NanoCore
ff5fb544251818945ba7b14fb0602d71188133caf7742871318291c91b474013
NanoCore
+ 1'603 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201026-hk6jylb862/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
UPX packed file
NanoCore
Malware Config
C2 Extraction:
:2000
malam.ddns.net:2000
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/79227/

Comments