MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash: ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA3-384 hash: 1d00cceb26b3a28d6e18293142b7959c281cbfd500ff0475884d72dcef42f75f307f14fb8e2ba2377877f390b924b7b9
SHA1 hash: be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
MD5 hash: 1728acc244115cbafd3b810277d2e321
humanhash: pip-bakerloo-nineteen-may
File name:NanoCore.exe
Download: download sample
Signature NanoCore
File size:1'442'816 bytes
First seen:2023-07-30 20:51:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 24576:d7dOT1b7eAJzjSTUd+21nm3kEvpqZ0vSxmfexX6shz07DTl/uz:d7dqVw2+2KkS4PmGX6og7
Threatray 211 similar samples on MalwareBazaar
TLSH T1C765BE01A6B2CF2AD3D86A3981ABC22C4B51D973F323B75B1F2E74642C5223B4D417D6
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon 70f0aaa8e8aaf870 (1 x NanoCore)
Reporter ULTRAFRAUD
Tags:exe NanoCore

Intelligence


File Origin
# of uploads :
1
# of downloads :
375
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NanoCore (1).exe
Verdict:
Suspicious activity
Analysis date:
2022-06-12 20:37:10 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd control explorer lolbin lolbin nanocore obfuscated packed remote shell32
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Status:
Malicious
First seen:
2015-07-03 10:00:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
MD5 hash:
1728acc244115cbafd3b810277d2e321
SHA1 hash:
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Rule name:MALWARE_Win_NanoCore
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Author:jeFF0Falltrades
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Nanocore_d8c4e3c5
Author:Elastic Security

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments