MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
SHA3-384 hash: 884a82d7a41b42c25a6a35870b472fbc4fbe7048ac43b97876974f57813270f41a81b303dad20a3a872b798c49bffe61
SHA1 hash: 463c942e70fee74aef894c0da58277c884d8c6bd
MD5 hash: 9d64fa92ce93c242c09947e6a0a892a6
humanhash: bluebird-virginia-six-comet
File name:INV.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:553'472 bytes
First seen:2021-11-24 10:36:48 UTC
Last seen:2021-12-02 14:25:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:tOL/Mq/d/xj06PDRQtc0DEt1G2AjKVUhCX+U3/4sQ+5C5xw:tOLUm/mWDk+RA+qgXF/4sQ+U5
Threatray 5'215 similar samples on MalwareBazaar
TLSH T139C412203295A753C8759FF70921248113B362462E11FF4F6EC82A8E7D66F6F8762B53
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.85.248.250:1187

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.85.248.250:1187 https://threatfox.abuse.ch/ioc/253754/

Intelligence

File Origin
# of uploads :
5
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 10:45:10 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/e24a4ee0-eb19-4c80-9ebc-a8b02f5aef16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Artemis9D64FA92CE93.9246.22636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619e15d0b71ceed4152e59d7/reports/3748a285-3bbb-4fa3-b802-a4bf5cb8c120/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e82d07c0-0ccd-40f2-8019-34e4ab89c46a
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895289
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 10:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42qbzznxkmvwtiys73uhbmse2hpru3fmabkrtaoikdhdr3ohtl2q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
NanoCore
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
9fc2ec9a478ddf812c9687c805f340989dc0af33b48100ec6621e422035ce579
NanoCore
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
NanoCore
+ 5'205 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211124-mntmascdfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
dera31.ddns.net:1187
195.133.18.211:1187
Unpacked files
SH256 hash:
bcbbb12a5dee34dc84b2e56f6e7e8bd7f9c0c1680485dd86e3a6d65b21ffd733
MD5 hash:
568d53b6ebd3c16aae493b75a6630ac8
SHA1 hash:
b00ec034b78e4543ff2df1d53e47b02d6b3adb11
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/366e16fb-bb6d-4668-8199-54432a209f5d/
Parent samples :
597b37383f0db8f45ac44bf4b34b8ec275e5f47dab27a03ac79d33790298a42d
dc67d526778506c9a50dd58b681dcd1dc12b82ddf6d7fc2e1097ee3e14ec62e6
56cdb2b48b6c92ed9b25a441bb8bd39d9a952bd3632e21675f2cdc42fc38e0ba
0b4a6e0a3daed7e93bc660cb8942f61674053668791b567581722a28f5413d4c
5e56b94e3be34affd39e1807de617daaaff2bf6844e49275e98d9b3b6b5216d0
a99697cc6e1dd9fa9fdcf15578d870d74ac342941a7fd0fd8d94ada4c3e43375
d0db3a18c0593a628f5c7e2a92b48369c10823af44d4f1e97f0bfbfd84043c59
40bbc3b0772a0365c7c91858d53373935cd72bbe27a431c976cafa12a2305d2e
70cd26dee77c61ddbf3458217f5316bf8e80178a2836095ca3cfe8e34574a7a4
5529226f3c19a35974bb052c674080826df121b5cc3fdb8ccf88c8d7d84d2740
37649a092c0ad878f4fb8d8578c2e7ca110360ba1575e0697baf1efa8e5cb409
e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
b186f6738901b0cf5824a3e3789af05342f414f30ad10d615a2b1a4203280627
84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
c79d764afe76a2ef453dc220a59820e20eaec56d44ed6ce56f04a76936309ca3
ecda999a236c97792f58358a9b4d89efef315912c58c3471c86a53730d8bca15
8b95710749714e99690b1b32ace69521208b3bb6420765d56647a5fc073a3813
69c47c41277449a2f7b646d5de7ae5d51bf944844b48b9b0df998ff9b6d3a3c9
SH256 hash:
302ac54c94e8bdb12b7fdaeef76e2b936e0294ea5b1ced38c6da51ef50c3067e
MD5 hash:
d1a58ca8f82c480763bfa3205e80b770
SHA1 hash:
7b23287d165b2dae07ead2625bd4e1e525d27a1b
Link:
https://www.unpac.me/results/366e16fb-bb6d-4668-8199-54432a209f5d/
SH256 hash:
e103f890cecde937035accfac32b554e44440925074f411826c097f5f049a21f
MD5 hash:
b7b9e0a402c71804905345ef1f9eeec8
SHA1 hash:
3309acf5ed651f7b5b01b32333a9ec0c97087a3f
Link:
https://www.unpac.me/results/366e16fb-bb6d-4668-8199-54432a209f5d/
SH256 hash:
e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
MD5 hash:
9d64fa92ce93c242c09947e6a0a892a6
SHA1 hash:
463c942e70fee74aef894c0da58277c884d8c6bd
Link:
https://www.unpac.me/results/366e16fb-bb6d-4668-8199-54432a209f5d/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e6a01ce5b753/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208914/

Comments