MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e37567f8b0e6739f6ebb1664bd114f4c9c82210c9c6874e22ce1d4c641a351c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e37567f8b0e6739f6ebb1664bd114f4c9c82210c9c6874e22ce1d4c641a351c8
SHA3-384 hash: 0e1f1213015dfd16997aee548169f7ed285829452126f22e105c83f1c9d8b72fbc07e478b76a98079e76695c34a2d40c
SHA1 hash: 3b299be9ead3676f7e945ae138e8d342485fc848
MD5 hash: 920979cd7781644d25563658b12a88b8
humanhash: princess-arizona-fruit-one
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.26069
Download: download sample
Signature NanoCore
Create hunting rule
File size:410'624 bytes
First seen:2020-08-06 20:46:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Zf3t125qoEfMxlZC7TZKy2p0lD1+Aa2/Z901KnT/IV3Ehc4BCcWY1TvbGrzfF:745EcCHZKjmVgAa2hO1sMV3EPfNCd
Threatray 1'120 similar samples on MalwareBazaar
TLSH CA94016E00588EEAF4AE123F4C35154BCF67D21F1225D6AF6F35609901BE69C7E40F62
Reporter SecuriteInfoCom
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41434/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.26069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/414478
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 259535 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 11 other signatures 2->53 8 SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.exe 7 2->8         started        12 SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.exe 4 2->12         started        process3 file4 33 C:\Users\user\AppData\Roaming\eCuDgl.exe, PE32 8->33 dropped 35 C:\Users\user\...\eCuDgl.exe:Zone.Identifier, ASCII 8->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFFDD.tmp, XML 8->37 dropped 39 SecuriteInfo.com.T...53084.29086.exe.log, ASCII 8->39 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->55 57 Injects a PE file into a foreign processes 8->57 59 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->59 14 SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.exe 13 8->14         started        19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 12->21         started        23 SecuriteInfo.com.Trojan.PWS.Siggen2.53084.29086.exe 2 12->23         started        signatures5 process6 dnsIp7 43 162.220.160.243, 20198, 49728 IS-AS-1US United States 14->43 41 C:\Users\user\AppData\Roaming\...\run.dat, data 14->41 dropped 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->45 25 schtasks.exe 1 14->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e37567f8b0e6739f6ebb1664bd114f4c9c82210c9c6874e22ce1d4c641a351c8/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 15:58:53 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4n2wp6fq4zzz63v3czsl2ekpjsoieiimtruhjyrm4hkmmqndkhea._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
NanoCore
1583c29f396b51c03866ecbac92dfae57d41c361d8f6f5ae71600a84a4b9033d
NanoCore
289c596406900aae22ba6b3d5a9d5465e38faebb46698f89def637389f675ae6
NanoCore
2a828598f4c66e85305d93ce56bad4c27b7bd6a446eb9b9cec27d961b2591b95
NanoCore
644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407
NanoCore
be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0
NanoCore
c7434a901ef82dba7f31d229cf40797bae4b6486378262b55120446cf469bfe2
NanoCore
d4b3ccca8a4726bb5093a9109c319456bc557b31a871c1b468c832e076f14b2f
NanoCore
e16297ef56ee81e53dd0bed2d0891132899dba6b888737f0e21a38b361a34a64
NanoCore
ec89b2b660ea42254a90f3b045dc98bfe6d1733878bd39a2a7030d68de169859
NanoCore
+ 1'110 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200806-eryvx35gss/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks whether UAC is enabled
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
162.220.160.243:20198
ofon.duckdns.org:20198
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e37567f8b0e6739f6ebb1664bd114f4c9c82210c9c6874e22ce1d4c641a351c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe e37567f8b0e6739f6ebb1664bd114f4c9c82210c9c6874e22ce1d4c641a351c8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/41434/
  
URLhaus
https://urlhaus.abuse.ch/url/426418/
  
Delivery method
Distributed via web download

Comments