MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
SHA3-384 hash: 9a081ec5a96653f16fe3f5652101858632528d81cfbdad7ae5ab757dc74b837eaa5f918240d16d9a90bbe3ea45c42131
SHA1 hash: 7575d7ff9e9aed5720c7b8995c9e565087be11fe
MD5 hash: 5ad19231f51175c163381772f37ef5b8
humanhash: monkey-yellow-nitrogen-arizona
File name:00063362123456.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:642'048 bytes
First seen:2020-08-30 06:04:24 UTC
Last seen:2020-08-30 07:19:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ryESmi/padpH6wFeo2FfklP/GbVrkXORWErk:+XRa7H6wEzfkxGb5kXO0
Threatray 1'064 similar samples on MalwareBazaar
TLSH 4AD4C02A170D9B1DD82CB7BD249500DCE3F1A342DF34E1CCFD9B61E9594568EA1AE283
Reporter abuse_ch
Tags:Endurance exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: 162-241-214-233.unifiedlayer.com
Sending IP: 162.241.214.233
From: Serena Xing <info@emexapparelcorp.community>
Subject: RE: Bidding of 38D OBA project.
Attachment: 00063362123456.z (contains "00063362123456.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53022/
Detection(s):
SecuriteInfo.com.Artemis5AD19231F511.16442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454418
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279581 Sample: 00063362123456.exe Startdate: 30/08/2020 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 12 other signatures 2->61 8 00063362123456.exe 7 2->8         started        12 RegSvcs.exe 2 2->12         started        14 dhcpmon.exe 2 2->14         started        16 dhcpmon.exe 1 2->16         started        process3 file4 45 C:\Users\user\AppData\...\WFwFcxWlwv.exe, PE32 8->45 dropped 47 C:\Users\...\WFwFcxWlwv.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp2146.tmp, XML 8->49 dropped 51 C:\Users\user\...\00063362123456.exe.log, ASCII 8->51 dropped 65 Writes to foreign memory regions 8->65 67 Allocates memory in foreign processes 8->67 69 Injects a PE file into a foreign processes 8->69 18 RegSvcs.exe 1 14 8->18         started        23 schtasks.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 53 185.244.30.18, 1985, 49712 DAVID_CRAIGGG Netherlands 18->53 41 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->41 dropped 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 00:11:03 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jarly2hde5kq2awebzohwzq3fssmufkfekxe2vihwi35mqcxg5q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e
NanoCore
5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5
NanoCore
6cef6b24f9c34ef5503ed6ba52ded7847882e7599bd39954ff9d3409042eeb74
NanoCore
6eb10ca3e8026756f417b8e04510f768c28175817c73be8f21514dfb186d687f
NanoCore
7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
c1e95a6f558510abc5490b3c48c42b49b999d45ad187691c84d9d06473a16e7a
NanoCore
cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4
NanoCore
fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
NanoCore
+ 1'054 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200830-wvdknjlsj2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
185.244.30.18:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 2333c6e33867d6947704c33ce08dc3c824ee72f7982f48dd343633d990e2e039

NanoCore

Executable exe ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb

(this sample)

  
Dropped by
MD5 dbca9def44dd4b016114ceaf7b041814
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53022/
  
Dropped by
SHA256 2333c6e33867d6947704c33ce08dc3c824ee72f7982f48dd343633d990e2e039

Comments