MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcdd13b7b38d1d56a7642ebdffbfde451e73aa0f7b8236b9a345f006c2aff815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcdd13b7b38d1d56a7642ebdffbfde451e73aa0f7b8236b9a345f006c2aff815
SHA3-384 hash: a33e4069d91efe1ada1d5d5851db7d6bf698ef6c5139d401b289b7a653ad2198118c93507605b28226e14350d1aaf4fc
SHA1 hash: 9b9e57aa2530017f0916655d5f7e3a9e458ed84b
MD5 hash: 08893ecb54557242afd3874bdc3fffa4
humanhash: virginia-minnesota-sad-mockingbird
File name:fcdd13b7b38d1d56a7642ebdffbfde451e73aa0f7b8236b9a345f006c2aff815
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'304'064 bytes
First seen:2020-11-09 21:56:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 24576:29S126rJENufiVK00gMpIoEXeauEQpkP/R5ZDE4q9MmCS:/htHiV/0gMqeafBXvbaPCS
Threatray 1'243 similar samples on MalwareBazaar
TLSH C7559C12639DC361C261503BB957E735AD2FBB650DA5B3973F8D0D7CABE0620C22A523
Reporter seifreed
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527660
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Detected Nanocore Rat
Drops PE files with benign system names
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312921 Sample: t2peGvVX8u Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for dropped file 2->34 36 10 other signatures 2->36 6 t2peGvVX8u.exe 1 7 2->6         started        10 svchost.exe 3 2->10         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 6->22 dropped 24 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 6->24 dropped 38 Drops PE files with benign system names 6->38 16 RegAsm.exe 6 6->16         started        signatures5 process6 dnsIp7 26 yeahbabka.duckdns.org 16->26 28 127.0.0.1 unknown unknown 16->28 20 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 16->20 dropped file8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcdd13b7b38d1d56a7642ebdffbfde451e73aa0f7b8236b9a345f006c2aff815/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 00:03:53 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7torhn5truovnj3ef2677p66iuphhkqppobdnondixyanqvp7akq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
NanoCore
1038e9a84ab134e86481b12ac645c59e68dd2b182aa201fed07397071e5d057a
NanoCore
49921e6531eac85bf200970640a074072f6071b7a18d23af56706788cd421c1c
NanoCore
5f3c88ad9a168c31fd7cbf37a6858952bad0e6b08a396ec6eb0912faf94c3c0f
NanoCore
71b9cfc637c0d49cc0375574e6254b09545d4ebc584b734aa8e35cf04b991332
NanoCore
94284547903aa955d763b53631e6e4784b4d527cb5e43af0940658feef8230f6
NanoCore
c796d41449235b098b526b28883099b4dac087593d8068396e2c05b28c74a773
NanoCore
c88f2cd1de8f581a1038ef31f8aa401202e34906e8232bc62604b3af4afc2da5
NanoCore
e3e3a0d4264a9b475696aba1bc5963c510560335c0399909c524fcaa5fcee4b5
NanoCore
f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
NanoCore
+ 1'233 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-v7fb2jy4e6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
yeahbabka.duckdns.org:10134
127.0.0.1:10134
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcdd13b7b38d1d56a7642ebdffbfde451e73aa0f7b8236b9a345f006c2aff815

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments