MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259
SHA3-384 hash:	c139f63b1dd41c020ca4eafa53bc992cca18c238fd75cb0f0189038c34fb4806152bd2d395f35b00f3c5eea85d1e6c34
SHA1 hash:	88a272b8dde30ebdf8ff15e746d424e075bad0de
MD5 hash:	045d6f898a967f28b466db7847fde07e
humanhash:	blossom-juliet-friend-three
File name:	e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	956'416 bytes
First seen:	2020-11-12 14:26:43 UTC
Last seen:	2024-07-24 22:21:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Aa3uo88YAAAxTfFTb0fFR0JXRooUvJXhDXrU7NBaseHGXJJP+oZcvg85SEwX4zXC:b0RAAgFTbh83XrURMx6JJP+omg8cXG
TLSH	A415179D765072EFC857CC32DA681C64EBA0A57B830BD243B05F16A99B4D99BCF140F2
Reporter	seifreed
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.16587.1099.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Creating a file in the %AppData% subdirectories

DNS request

Connection attempt

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259/

Threat name:

Win32.Trojan.Sdum

Status:

Malicious

First seen:

2020-11-12 14:30:14 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4i3fksx2am6btjdaekzqclol3yg2rzrk6dfhe4nn7isetaaogjmq._file

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201112-17efmmx4pa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

delightson.ddns.net:4040

Unpacked files

SH256 hash:

e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259

MD5 hash:

045d6f898a967f28b466db7847fde07e

SHA1 hash:

88a272b8dde30ebdf8ff15e746d424e075bad0de

Link:

https://www.unpac.me/results/e8315319-135f-4f25-9896-06d572b8249d/

SH256 hash:

f729e0298b79905f6e7244e7a044e4a47506641c2177df6cca0d22957ce59341

MD5 hash:

6dc53dae77efc775bb23c6cd11c2e246

SHA1 hash:

92f1a57729b8ab5ad974f9a1594d5a44dcbea094

Link:

https://www.unpac.me/results/e8315319-135f-4f25-9896-06d572b8249d/

SH256 hash:

e878f4e727067ff91431c064ad1f2c86f1c1f251bfd25717c03aaeb2a24f44f6

MD5 hash:

82edde3ea8cef9ed6463769a081671ce

SHA1 hash:

bee54ff1a6e4301ef78d5b1b60fb9b5f03f81bf6

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/e8315319-135f-4f25-9896-06d572b8249d/

Parent samples :

539edf8cbc6fe33f365d3fbf88f6523f1f757b7ef19af5fda2b5d6ef3bbbd0ce
6c9612aee7a17b1f0bed53bf0fd5075184132a9d54f02e1e050ae9ade8a0e994
e236554afa033c19a46022b3012dcbde0da8e62af0ca7271adfa2449800e3259
3aaf212aeca95492c6768b3bf223f8fa4b153e1729f3c22ca50e215271e9d7de

SH256 hash:

bf38958af60389bcb9dec94d1fcd698f7a3fcd8e15285974dc7e2b756ef41c89

MD5 hash:

9ae410aac4165a941351427401fd6ad4

SHA1 hash:

fb8b226a2932b152b298d9312eaa0cf1b412f8d4

Link:

https://www.unpac.me/results/e8315319-135f-4f25-9896-06d572b8249d/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/e8315319-135f-4f25-9896-06d572b8249d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample