MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341
SHA3-384 hash: cd954a4c0d2c51fa0b17f4165a609f6cb483d7553576244211e3e390842530aa0dc59a0b25d3195ab26b9631724489fb
SHA1 hash: 4799e63db69cc9218b034745b8d889dbf8538087
MD5 hash: 099198d6cff5911ed2cb5d13c0887725
humanhash: jersey-lemon-pennsylvania-mississippi
File name:KINO.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:695'296 bytes
First seen:2020-07-27 06:42:39 UTC
Last seen:2020-07-27 07:50:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0b426c30c849bf2a18dc2e1e256eecc (5 x MassLogger, 3 x NanoCore, 1 x AgentTesla)
ssdeep 12288:R9Fs8CaE9aKhI+P7jwfwvBgPqcBQZdd+jVHJ7grtGH4d:jKW6h37jqrycGmVHdMtGH4d
Threatray 2'652 similar samples on MalwareBazaar
TLSH 77E4BEF2B2F04433D27326799D1B5768AC3ABE21392858462BF51C4C6F39781396B2D7
Reporter JAMESWT_WT
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32664/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/398286
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251327 Sample: KINO.exe Startdate: 27/07/2020 Architecture: WINDOWS Score: 100 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 6 other signatures 2->102 14 KINO.exe 2->14         started        17 wscript.exe 1 2->17         started        process3 signatures4 128 Contains functionality to inject code into remote processes 14->128 130 Writes to foreign memory regions 14->130 132 Allocates memory in foreign processes 14->132 134 2 other signatures 14->134 19 notepad.exe 5 14->19         started        23 gtguihjky.exe 17->23         started        process5 file6 82 C:\Users\user\AppData\...\gtguihjky.exe, PE32 19->82 dropped 84 C:\Users\...\gtguihjky.exe:Zone.Identifier, ASCII 19->84 dropped 86 C:\Users\user\AppData\Roaming\...\web.vbs, ASCII 19->86 dropped 108 Creates files in alternative data streams (ADS) 19->108 110 Drops VBS files to the startup folder 19->110 25 gtguihjky.exe 19->25         started        112 Maps a DLL or memory area into another process 23->112 28 gtguihjky.exe 23->28         started        30 gtguihjky.exe 3 23->30         started        signatures7 process8 file9 116 Multi AV Scanner detection for dropped file 25->116 118 Detected unpacking (changes PE section rights) 25->118 120 Detected unpacking (creates a PE file in dynamic memory) 25->120 122 4 other signatures 25->122 33 gtguihjky.exe 8 25->33         started        38 gtguihjky.exe 25->38         started        40 gtguihjky.exe 28->40         started        88 C:\Users\user\AppData\...\gtguihjky.exe.log, ASCII 30->88 dropped signatures10 process11 dnsIp12 90 185.140.53.132, 3940, 49735, 49736 DAVID_CRAIGGG Sweden 33->90 92 ndlovusamkello.hopto.org 105.112.106.233, 3940 VNL1-ASNG Nigeria 33->92 80 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 33->80 dropped 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->104 106 Maps a DLL or memory area into another process 40->106 42 gtguihjky.exe 40->42         started        44 gtguihjky.exe 40->44         started        47 gtguihjky.exe 2 40->47         started        file13 signatures14 process15 signatures16 49 gtguihjky.exe 42->49         started        126 Maps a DLL or memory area into another process 44->126 52 gtguihjky.exe 44->52         started        54 gtguihjky.exe 44->54         started        process17 signatures18 94 Maps a DLL or memory area into another process 49->94 56 gtguihjky.exe 49->56         started        59 gtguihjky.exe 49->59         started        61 gtguihjky.exe 49->61         started        63 gtguihjky.exe 52->63         started        process19 signatures20 114 Maps a DLL or memory area into another process 56->114 65 gtguihjky.exe 56->65         started        67 gtguihjky.exe 56->67         started        69 gtguihjky.exe 63->69         started        71 gtguihjky.exe 63->71         started        process21 process22 73 gtguihjky.exe 65->73         started        76 gtguihjky.exe 69->76         started        signatures23 124 Maps a DLL or memory area into another process 73->124 78 gtguihjky.exe 76->78         started        process24
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-07-27 06:43:25 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5myb5zn24rne3e7izcfax7ngd2lcxzgfuxaaevpl35nkgzhwsnaq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
06cd18b13e77f513e826da358a65d6f61b05769ce830c8fb9d15b916c672ea61
NanoCore
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
4983921d3469aff39daaa738072cdf18171a7c98184a0a810c9d81daac7082e4
NanoCore
7259675aad35bed593ec88a0f96263e182eaac06043f25df3362eb29186d2cd1
NanoCore
bc9deb7c274339a0a8b594def58348a995b3d7af4764c796c365b683b7400aea
NanoCore
bdddf5f5fa10f55e58819ff4ae4cf11902c3583503fa8fcf50ce67b1f1f66e4f
NanoCore
be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1
NanoCore
ff5fb544251818945ba7b14fb0602d71188133caf7742871318291c91b474013
NanoCore
+ 2'642 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200727-vy1et3rcyx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Drops startup file
UPX packed file
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
ndlovusamkello.hopto.org:3940
185.140.53.132:3940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410810/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32664/

Comments