MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
SHA3-384 hash: 4181c1fb93d474ffc5d8208c242e972b2a02d165968032b2de0a4d1525150fe9a36b66458f46b9fb943410117741d073
SHA1 hash: 8e7119ccf5621b833133b74325e9a99554935f2d
MD5 hash: 0c6b9390bace83c216802c0bb3bd81b8
humanhash: king-nine-december-ceiling
File name:4A5kokJEF2DziAy.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:420'352 bytes
First seen:2020-07-22 03:15:10 UTC
Last seen:2020-07-22 06:36:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:yXrG4UJSI92iNoD1H/2Xldd6ECetyopzZhw3c:9Jh91M8r5NZhh
Threatray 1'666 similar samples on MalwareBazaar
TLSH 5B94DF11EBF40AD9EB954BB9E0661140A7B86A1F67EAE31D1F95F0DC0832B448713F27
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30679/
Detection(s):
SecuriteInfo.com.Generic.mg.0c6b9390bace83c2.10141.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394246
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249506 Sample: 4A5kokJEF2DziAy.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 11 other signatures 2->49 8 4A5kokJEF2DziAy.exe 7 2->8         started        12 MSBuild.exe 4 2->12         started        process3 file4 29 C:\Users\user\AppData\...\tbklNHvmdDAXV.exe, PE32 8->29 dropped 31 C:\...\tbklNHvmdDAXV.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmp968B.tmp, XML 8->33 dropped 35 C:\Users\user\...\4A5kokJEF2DziAy.exe.log, ASCII 8->35 dropped 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->51 14 MSBuild.exe 13 8->14         started        19 schtasks.exe 1 8->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 39 bornsinner.myq-see.com 194.5.97.77, 3941, 49733 DANILENKODE Netherlands 14->39 37 C:\Users\user\AppData\Roaming\...\run.dat, SysEx 14->37 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 03:17:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=33daqidosqo2kbbdgpeogx7adoyx4ugmm7wfrmb6q4tjjs26egnq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2a2a628e23fa234e422aa5edcb6718f54e5caa2822ee10950a30619d9e9b0534
NanoCore
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
NanoCore
3c15d1bb32d82a136a76d6e8867506dc2cc12cc183ed5a5c79335cb569e7d52c
NanoCore
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
NanoCore
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
NanoCore
75fc0beb16fbe8af2f46d2cfcb7176af4289430516d74017d1a32cd0c37859c0
NanoCore
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
NanoCore
afd354c93f9c9ad2324dd4ecd1e58041f373f1b3360ef8ce2792e437bd104a8d
NanoCore
d5dd3977cdc2602a68093c08e166b1508253ef0934f986d00be980e47b7c50f9
NanoCore
f8a0ada1c983c16a3ff6b107c2a04cac970e51ba9bec2514771271af03b7b9fc
NanoCore
+ 1'656 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200722-ez2sjfl9pn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks whether UAC is enabled
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
bornsinner.myq-see.com:3941
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

6f86f7ab4db2df800cccce388746113959278b4c19e9cb4d939247f24bcbb9b0

NanoCore

Executable exe dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b

(this sample)

  
Dropped by
MD5 8aa3e3af016f6c245344fbc378bf0738
  
Dropped by
SHA256 6f86f7ab4db2df800cccce388746113959278b4c19e9cb4d939247f24bcbb9b0
  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30679/

Comments