MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 15 File information Comments

SHA256 hash:	fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
SHA3-384 hash:	6ba8f5c9151fd9f0cd87599a9f672ab2afc27cd235d3f31f7d40149e6ec7e70fb258e2ab193cdbd5fecdde83f1e9e9a9
SHA1 hash:	168dce3f46ebc157f1ba2df60be774f294e5dfd9
MD5 hash:	a12e34d671d1d18044109d7c972f582d
humanhash:	mirror-saturn-dakota-sierra
File name:	Outstanding Payment.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'202'176 bytes
First seen:	2020-10-18 17:14:35 UTC
Last seen:	2020-10-18 17:47:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:J4YC1Iz0ikIdQuYKDnTLjEw3XPAAHq7F51dvqA+mH:J4O0LIdsI/53XbK7Fpq
Threatray	1'545 similar samples on MalwareBazaar
TLSH	E9457DB23C92587ECA6B077550A985C1FABA16C73FA48B0D71AF430C0F11A1BEB57257
Reporter	abuse_ch
Tags:	exe NanoCore RAT

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.ArtemisA12E34D671D1.10896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Launching a process

Result

Threat name:

Nanocore MailPassView Quasar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/494694

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for dropped file

Binary contains a suspicious time stamp

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected MailPassView

Yara detected Nanocore RAT

Yara detected Quasar RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2020-10-18 10:33:10 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7suoabbgeqtbqxh7oegd7ecp7zp5cpn6rxsibs7rgih6kzpfke6q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

2801e23864a2d65490e0ef7663d0d0e4292242f84d8368f0cdeefa868c375521

NanoCore

572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0

NanoCore

60d1ea55d2ecbd3f8289c2d11413ad2378551b8c87126d81483d18101bbd8e4a

NanoCore

6f8b5cad56d107434291b260c5483479d0ac1d02498d5bfad7468a02dc7fc19d

NanoCore

759650986713eaf7fe5021ead7a0994f33767c14b6a7caf1079379b087df21fe

NanoCore

9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e

NanoCore

c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01

NanoCore

d478602bac8b8f334f06644dd92fbe60cbba6815ced96503c7aab4df6f305e77

NanoCore

e73cf978acde72a0ec094a6fe4302cd7e369624fe183057d01a1c47fd878324f

NanoCore

+ 1'535 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore persistence family:quasar

Link:

https://tria.ge/reports/201018-7v3x6d3lje/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Executes dropped EXE

NanoCore

Quasar RAT

Malware Config

C2 Extraction:

3.tcp.ngrok.io:20027

Unpacked files

SH256 hash:

e0becb3532bd89ede90dc881735c824e66df23a639a21ecebdddc20b93e69da3

MD5 hash:

407ec810e825f2dfb808723bd5aaa372

SHA1 hash:

5497c6a174100ded672ddb76013d97bb806fe455

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

SH256 hash:

0e06308c84812b25e9d996a1aeade5af7516a47d786aebc2b85ee35612bfcb3e

MD5 hash:

0c02a760100d4fe435f2a1f04a982fba

SHA1 hash:

58a952d4f5debd6e92584c779a6127b263df5bca

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

SH256 hash:

c80bd60f5366ea9786742fc07216090c58e7a7194891c4eb04d7b71242a1a5f5

MD5 hash:

3b9bf02d84442e457b9e8f8804d8aab2

SHA1 hash:

a770b30f73cf8d306fa0e884937ffbaecf3c8ff7

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

SH256 hash:

c6847dd3e7b51ba63378e430441ce519a96bd35a1e37b5070b7a125f9b89af9d

MD5 hash:

b8268614109951c32f0a2c107b3c36f4

SHA1 hash:

cb3e4a013d82d1b85ef77f65d5671b6397162766

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

Parent samples :

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

SH256 hash:

f86c49d95f6a57010a0048b0ff1f054de35e581e3b72a276fc81838ffd2f2f73

MD5 hash:

8da5165be6c5e84fc4a2de48fc325194

SHA1 hash:

d4760184de5612b674664c31d4fb66df3063b81f

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

Parent samples :

572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d
dca205ee15b1128bf97fa8660ee3240f4283109cd8e4d4334c394766449b6e15
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f

SH256 hash:

fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d

MD5 hash:

a12e34d671d1d18044109d7c972f582d

SHA1 hash:

168dce3f46ebc157f1ba2df60be774f294e5dfd9

Link:

https://www.unpac.me/results/56d0718d-cacf-402b-81ad-a226191f8f8c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Quasar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe fca8e004262426185cff710c3f904ffe5fd13dbe8de480cbf1320fe565e5513d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72683/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample