MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00
SHA3-384 hash: fc9ecb27ef3a25ac6dacd19f2ac75ae263ce26d29d905f1be1ff162f9e9d7b4d51c8656ab380cdf86134acb09b48b515
SHA1 hash: 06078d9ce710c6619ea2b00feaeb8b9906b9b157
MD5 hash: 89d9a6305833a656f5410c2dfd58d82e
humanhash: victor-apart-william-black
File name:Confirmation Draft Shipping Documents.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:650'240 bytes
First seen:2021-03-30 10:20:58 UTC
Last seen:2021-03-30 10:47:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:rfD4Huh7V7M62DMooWtzDlEyK1xKNTfRYsdwvgDJvKfo+7LhrJgo/b/ailuZt3AB:fMuzMBoWnI1xclqgQdJPA0KKUy
Threatray 99 similar samples on MalwareBazaar
TLSH 9CD492A870AE405DEEB47B24F5B555822FC829325F62FF3F38A667005C63769F98E410
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.191.231.252:38884

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.191.231.252:38884 https://threatfox.abuse.ch/ioc/6025/

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmation Draft Shipping Documents.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 10:22:57 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/50194cc1-1600-4391-b45c-3a51797341f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127956/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19992.11047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658231
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Protects its processes via BreakOnTermination flag
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 378044 Sample: Confirmation Draft Shipping... Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 66 holyboys.ddns.net 2->66 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 13 other signatures 2->76 9 Confirmation Draft Shipping Documents.exe 7 2->9         started        13 dhcpmon.exe 4 2->13         started        15 Confirmation Draft Shipping Documents.exe 4 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\Roaming\rBPBhgqn.exe, PE32 9->58 dropped 60 C:\Users\...\rBPBhgqn.exe:Zone.Identifier, ASCII 9->60 dropped 62 C:\Users\user\AppData\Local\...\tmp350C.tmp, XML 9->62 dropped 64 Confirmation Draft...g Documents.exe.log, ASCII 9->64 dropped 82 Injects a PE file into a foreign processes 9->82 19 Confirmation Draft Shipping Documents.exe 1 15 9->19         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 dhcpmon.exe 13->30         started        32 dhcpmon.exe 13->32         started        34 schtasks.exe 1 15->34         started        36 Confirmation Draft Shipping Documents.exe 2 15->36         started        signatures6 process7 dnsIp8 68 holyboys.ddns.net 185.191.231.252, 38884, 49712, 49719 UNREAL-SERVERSUS Netherlands 19->68 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, zlib 19->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->56 dropped 78 Protects its processes via BreakOnTermination flag 19->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 34->46         started        file9 signatures10 process11 process12 48 conhost.exe 38->48         started        50 conhost.exe 40->50         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 10:25:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zrbl6ewt442ikzse7yylzqbvnnim3gsgsaqci2tyudjh4ppbmaa._file
Verdict:
unknown
Similar samples:
1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb
NanoCore
44f7f174bfb0ec27e8dab09f73528402bbd263d0ffd4eca4f42c34c999418231
NanoCore
5b7e2aa7fd116ece66c8a64a2a92a1313fc5a2b29fd2f29b295d46938a50e469
NanoCore
786e84224f6784b9abd40ae7ebc9ffeeaf748a3e4d810681aab7d308f786e857
NanoCore
80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d
NanoCore
88ae2d739cf1bb2cb87e55498b46f53cc6c641ede1cf5619af8d0a128a1a2a39
NanoCore
a185be0edc53aacf866542523d9f2627a21cdcbcf79ed0fcfa1314ea30446ec4
NanoCore
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
NanoCore
f3641123cf921225f75e2f86335df6a1066f751521ab15cfbb5f116b6a98e5e8
NanoCore
fe55bb74fe3d91852786cb75c59c3f3884b866723085595222352bc0b6189f80
NanoCore
+ 89 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210330-rw3gyjnbxs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
holyboys.ddns.net:38884
185.191.231.252:38884
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/0e363a49-e3eb-4144-b044-06be1c6de168/
SH256 hash:
f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00
MD5 hash:
89d9a6305833a656f5410c2dfd58d82e
SHA1 hash:
06078d9ce710c6619ea2b00feaeb8b9906b9b157
Link:
https://www.unpac.me/results/0e363a49-e3eb-4144-b044-06be1c6de168/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127956/

Comments