MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6dae5ff37232524f545d43bc3de780c98b0ad6ccdc2058b5e7b35c046a1bd8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	f6dae5ff37232524f545d43bc3de780c98b0ad6ccdc2058b5e7b35c046a1bd8a
SHA3-384 hash:	b88bd6ef9c0e64f38ae791958f6dafd3586dbc3451c7cea0b989c7df4c00c44d6249f4402c6a4c08bfaa39678641801a
SHA1 hash:	7ddb13c08af4637e3da1a94b3e13da1c8df17cf9
MD5 hash:	d96ab6e363ceed639e3093052e0a14f4
humanhash:	cat-early-item-ack
File name:	SOA_2910202.JPG.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'965'056 bytes
First seen:	2020-10-30 13:14:38 UTC
Last seen:	2020-10-30 13:26:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	49152:KXAdZt5vwHEYShpWuMHQOuHBHlYZrLS+1KosmEH2:KXALtheErhpWLzuhHld0sXH
TLSH	2995E0F853929657D92F123F952B3C10D353AB65C9FA864A43DCB0390BBF3095A90B4B
Reporter	James_inthe_box
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/81228/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.14064.22265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/516971

Signature

.NET source code contains potential unpacker

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6dae5ff37232524f545d43bc3de780c98b0ad6ccdc2058b5e7b35c046a1bd8a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-30 07:19:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=63nol7zxemssj5kf2q54hxtybsmlbllmzxbalc26pm24arvbxwfa._file

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201030-qawmy8syf2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

185.140.53.187:4284
127.0.0.1:4284

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/81228/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample