MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4
SHA3-384 hash: c32439099ba9ba8eed514a66a9ad73dd40f333d138aac02ae2d2c1237ff5d2e91ffff33c1ab0e29e96d86aa5d47d3ee8
SHA1 hash: fd75384ba2fd1babc922700f8a5dbf8996038d47
MD5 hash: 26d7fd5cf5d0d6b7c1390aa0b6a7e32a
humanhash: yankee-kentucky-papa-eleven
File name:TRACKING UPDATE.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:721'408 bytes
First seen:2021-04-08 14:25:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QW/ySdmVUM3ie0j1llq8lwyS9r0H/9ef17Nxj6J8a72b2xy:D/y2qUM3l0jlWD0H/9eZj6Jt7Ny
Threatray 59 similar samples on MalwareBazaar
TLSH 27E48C7091F22BC6E9D68EB69E20E649FFF74C809980925ED96438F65173BC4C2441FE
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.140.53.10:37151

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.10:37151 https://threatfox.abuse.ch/ioc/7409/

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TRACKING UPDATE.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 15:29:17 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/e06a9bf3-42e4-4847-8670-e31331a58ccf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133229/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670349
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384119 Sample: TRACKING UPDATE.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 57 kennethw201.ddns.net 2->57 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 12 other signatures 2->71 8 TRACKING UPDATE.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\naILYUoYDoiOaN.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp8E9C.tmp, XML 8->49 dropped 73 Adds a directory exclusion to Windows Defender 8->73 75 Injects a PE file into a foreign processes 8->75 14 TRACKING UPDATE.exe 8->14         started        19 powershell.exe 24 8->19         started        21 powershell.exe 22 8->21         started        31 2 other processes 8->31 23 powershell.exe 12->23         started        25 schtasks.exe 12->25         started        27 powershell.exe 12->27         started        29 dhcpmon.exe 12->29         started        signatures6 process7 dnsIp8 59 kennethw201.ddns.net 185.140.53.10, 37151, 49712, 49716 DAVID_CRAIGGG Sweden 14->59 61 192.168.2.1 unknown unknown 14->61 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->53 dropped 55 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->55 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->63 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 14:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rtm2lwd5rpojntvphlqshyqdm7xz3pzg646bewxw2adrffjfx2a._file
Verdict:
suspicious
Similar samples:
04bc203b9c68d45a74189f7a7bc180fe4fe0304583fae10dee4b036a66e54437
NanoCore
0f554bb19749e97d63525c4d964041e8d6fc149cb0aec5c4560cccf09babc39c
NanoCore
20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160
NanoCore
92ce1caafd5440632d32f232194b05aeeb49702d5bb2d5c6e0f4af2311631180
NanoCore
9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6
NanoCore
bc0cc9f45e5a3b9f2f1815c4787849ebd8ab71d72aca809b687bc462ec9b5899
NanoCore
cb19133e564f301e0b3bcba9f0cd81dd21ab65aaf5a4d506c29e70159b2c26bc
NanoCore
e8faa87b21d0035dfdaba4eff2939be148eda54a3ab5361995268f66d19bf71d
NanoCore
eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae
NanoCore
f13afdd20e5dbe1fe6bc73b81b8c91604d125a1833b6a14fb9efbeb575ec73ee
NanoCore
+ 49 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210408-wh64asv2sn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
kennethw201.ddns.net:37151
185.140.53.10:37151
Unpacked files
SH256 hash:
c5519ef771321d62260735c62622297b284e823d97b29eed0dae704d89bb4c5f
MD5 hash:
0158502a4a1ee47ae2abfe604f2fd748
SHA1 hash:
3dec24548c89d943f3fe9a4dd0b8663cbdcf6e0d
Link:
https://www.unpac.me/results/0a157154-11e3-407a-a5d2-dc403cbf4fed/
SH256 hash:
ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4
MD5 hash:
26d7fd5cf5d0d6b7c1390aa0b6a7e32a
SHA1 hash:
fd75384ba2fd1babc922700f8a5dbf8996038d47
Link:
https://www.unpac.me/results/0a157154-11e3-407a-a5d2-dc403cbf4fed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133229/

Comments