MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 20 File information Comments

SHA256 hash:	ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82
SHA3-384 hash:	b83799432e31b2c3f6dec2d914acad32d11fcfc58ab819883cad91480811d1f47a926e4c366a97d0eeb7d07be332e6aa
SHA1 hash:	7211d31dabc6e7073cfaa1a748f9d3b2cda2e87d
MD5 hash:	46c9ca22a748d638a625d3c1d23d4340
humanhash:	utah-wisconsin-oven-nuts
File name:	order?gnp.scr.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'128'760 bytes
First seen:	2025-05-01 07:06:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep	24576:XBkVdlYAoKZV9xWoJaxChFdMYCTG7yMqP00Weq/E:RsvoK7jaxuMjTGzMOM
Threatray	147 similar samples on MalwareBazaar
TLSH	T18535E093F5C210F0E8261B3219769E65467FBC282E34D99E239EB1355B333C24636A5F
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10522/11/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	7139497935111121 (2 x NanoCore)
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
196.251.115.13:48405

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
196.251.115.13:48405	https://threatfox.abuse.ch/ioc/1493508/

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2025-04-18_46c9ca22a748d638a625d3c1d23d4340_black-basta_cova_cryptbot_elex_luca-stealer

Verdict:

No threats detected

Analysis date:

2025-04-18 06:54:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/358f4d3b-06e8-449e-8322-d1ecd1e4ae9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5432/

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.14092.25867.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6801f71c2203b3e10cd0d43d

Tags:

nanocore nukesped

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Launching a service

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm crypto fingerprint installer masquerade microsoft_visual_cc nanocore overlay overlay packed packed packer_detected sfx

Link:

https://www.filescan.io/uploads/68131d99a8d43a4dd6133b90/reports/b504135a-55c2-4c38-8757-139e5c5c0f35/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0aa21043-a397-4c72-8131-d746a9e4a523

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1679038

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Script Execution From Temp Folder

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-04-18 06:31:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=56errxfnj6ta6j4p3x643zb3mjhws3qeozio2lsbkxjlkm4m52ba._file

Verdict:

malicious

Label(s):

unc_loader_037

nanocorerat

NanoCore

02fadedd141959135f8966a86544730630dc9c23a71b0fb3f9ed1a281997aa2a

NanoCore

21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6

NanoCore

460db5dd27f570e7457e80324a126e3d3bfec8daaa508c0be60cb1cb058af2d0

NanoCore

695cb5d1f8e58dc1c894791b70adc5bd1b0401e6e0fcf55a82637796ec236d84

NanoCore

765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

NanoCore

db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20

NanoCore

e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34

NanoCore

+ 137 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/250501-hxpx9agm7z/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

NanoCore

Nanocore family

Malware Config

C2 Extraction:

2023endofyear.duckdns.org:48405
127.0.0.1:48405

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/21d2041a-6a0c-43de-af6a-c8189efe9469

Unpacked files

SH256 hash:

ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82

MD5 hash:

46c9ca22a748d638a625d3c1d23d4340

SHA1 hash:

7211d31dabc6e7073cfaa1a748f9d3b2cda2e87d

Link:

https://www.unpac.me/results/c582ce9f-4f1a-40cd-8208-fe98f025e450/

SH256 hash:

38ab71edd7d7bea5523ed8b92132d478b3908985aa7c8e1795982e611b33e445

MD5 hash:

b53345657b27e7033018f42b72527507

SHA1 hash:

92d31a31080a95042c0200f7f381511a17d529c7

Link:

https://www.unpac.me/results/c582ce9f-4f1a-40cd-8208-fe98f025e450/

SH256 hash:

1069ac252f2c9bcb7024ef64fd36173f6a962d97d559e16c4a7a11e44599c2e7

MD5 hash:

aff1727864fc1a499ecd53024f0b2790

SHA1 hash:

10aa02dfaf7c9888036b4689136a05b2ff123259

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c582ce9f-4f1a-40cd-8208-fe98f025e450/

Parent samples :

ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82
38ab71edd7d7bea5523ed8b92132d478b3908985aa7c8e1795982e611b33e445

SH256 hash:

a4a61fa5bfe493eec3d526519f8cf487665d962b49a72b1d073873723e035016

MD5 hash:

8320ba4a0f90757f6c287baf930da32b

SHA1 hash:

25008f9d926d897859de9ca3e868b58ad1e0e002

Link:

https://www.unpac.me/results/c582ce9f-4f1a-40cd-8208-fe98f025e450/

SH256 hash:

f21a4f9f77b6a0d513f49486f3c8b9019967ff6bf1da11dd5ada7ce33963b2a5

MD5 hash:

e4715950752a83c1add2d17046195d12

SHA1 hash:

7d33c27353470bb5216e04dccb1f115b48790946

Detections:

win_nanocore_w0

SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24

Nanocore_RAT_Gen_2

Nanocore_RAT_Feb18_1

Nanocore

MALWARE_Win_NanoCore

Link:

https://www.unpac.me/results/c582ce9f-4f1a-40cd-8208-fe98f025e450/

Parent samples :

ef8918dcad4fa60f278fddfdcde43b624f696e047650ed2e4155d2b5338cee82
38ab71edd7d7bea5523ed8b92132d478b3908985aa7c8e1795982e611b33e445

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ef8918dcad4f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_Nanocore_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	MALWARE_Win_NanoCore Create hunting rule
Author:	ditekSHen
Description:	Detects NanoCore

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Feb18_1_RID2DF1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Nanocore_RAT_Gen_2_RID2D96 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_Nanocore_d8c4e3c5 Create hunting rule
Author:	Elastic Security

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/5432/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample