MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de057b593516b8235125f2513f090ffc60359e6707207492f7bd56bc67d35cd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	de057b593516b8235125f2513f090ffc60359e6707207492f7bd56bc67d35cd8
SHA3-384 hash:	a1c4740d1f684c6814fbee6bbbaba0a8d8c97b046fcb59aa5e798dc701a9492e55b23d37b23d6a6c287827f8e606da77
SHA1 hash:	06490349e54d1afea5fe589f3c75644f8e608585
MD5 hash:	448186a0f046cc5c3560a4c33c826d8b
humanhash:	failed-batman-july-mockingbird
File name:	yyUMUKt5QiL7x5A.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	596'480 bytes
First seen:	2020-04-10 11:46:09 UTC
Last seen:	2020-04-10 12:38:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:FFb+t+A7kzxGxru9hOqbRxkIGNrhvNbiZVhYkGNejNd1756zZ2V5k2racJiA7nT/:Fwt96DGtYWcjNdKzk5No
Threatray	1'081 similar samples on MalwareBazaar
TLSH	C2C49D483650B58FC85BCD728EA41C60AB70647B570BE303A89725ED9D5EBDBCF052A3
Reporter	jarumlus
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.9740.2609.21200.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-04-10 00:00:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ycxwwjvc24cgujf6jit6cip7rqdlhtha4qhjexxxvllyz6tltma._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

16a89bdfcb47975f86cf09cca2ae8a67224cc37cfd69264f9a55feed1cc83c48

NanoCore

430a7e324ab686d71a38548850bb90d018b0d7aec9cdbccb7289beb4d09f5a9f

NanoCore

4f0c49461762f52bd2aebd7f49f0fb673ea4a6ec8d52bfe5d2e44c61ae292719

NanoCore

7370a7e091fac25ebdad745b779e1d83f9599893ae465803dc03c943b66fda1c

NanoCore

7fb9c91eb54a2b4edf3f3ffd386ba95bcae68a086ea82b791a7e59d97107e3e8

NanoCore

84f2cd380b681104f068a5f49d9b4b790a949f042e1f9bea0b793c076489f72e

NanoCore

9b407d80c4f60b65f75a4dd1c05f10d08a59087ce14f64cb8fe9d51032c37b0b

NanoCore

a26b2e637723aaf286bb3c75afa070576c0f5d334161f0f62a27ce41eaf27d37

NanoCore

b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057

NanoCore

+ 1'071 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample